├── .envrc ├── .gitignore ├── modules ├── nixpie.nix ├── default.nix ├── packages │ ├── ocaml │ │ ├── default.nix │ │ ├── ssse.nix │ │ ├── dev.nix │ │ └── afit.nix │ ├── python │ │ ├── default.nix │ │ ├── thl.nix │ │ ├── core.nix │ │ ├── dev.nix │ │ └── ssse.nix │ ├── pkgs │ │ ├── octave.nix │ │ ├── cpp.nix │ │ ├── prolog.nix │ │ ├── spider.nix │ │ ├── js.nix │ │ ├── asm.nix │ │ ├── devFunctional.nix │ │ ├── fuse.nix │ │ ├── lisp.nix │ │ ├── coq.nix │ │ ├── latex-exam.nix │ │ ├── afit.nix │ │ ├── opengl.nix │ │ ├── thl.nix │ │ ├── prpa.nix │ │ ├── ocaml.nix │ │ ├── java.nix │ │ ├── sql.nix │ │ ├── games.nix │ │ ├── r.nix │ │ ├── python.nix │ │ ├── rust.nix │ │ ├── scala.nix │ │ ├── docker.nix │ │ ├── gtk.nix │ │ ├── tiger.nix │ │ ├── sdl.nix │ │ ├── csharp.nix │ │ ├── default.nix │ │ ├── net.nix │ │ ├── core.nix │ │ ├── gpgpu.nix │ │ ├── dev.nix │ │ ├── podman.nix │ │ ├── tcinfo.nix │ │ ├── desktop.nix │ │ ├── nts.nix │ │ ├── ssse.nix │ │ └── libvirt.nix │ └── default.nix ├── services │ ├── x11 │ │ ├── files │ │ │ └── background.jpg │ │ ├── desktop-managers │ │ │ └── xfce.nix │ │ ├── window-managers │ │ │ └── i3.nix │ │ ├── redshift.nix │ │ └── display-managers │ │ │ └── sddm.nix │ ├── networking │ │ ├── sshd │ │ │ ├── ssh_host_ed25519_key.pub │ │ │ ├── ssh_host_ed25519_key │ │ │ ├── ssh_host_rsa_key.pub │ │ │ ├── sshd.nix │ │ │ └── ssh_host_rsa_key │ │ ├── aria2.nix │ │ └── privoxy.nix │ ├── hardware │ │ └── bluetooth.nix │ ├── audio │ │ └── alsa.nix │ ├── network-filesystems │ │ └── openafs │ │ │ └── client.nix │ ├── misc │ │ ├── idle-shutdown │ │ │ ├── default.nix │ │ │ └── idle-shutdown.sh │ │ └── sm-inventory-agent │ │ │ ├── default.nix │ │ │ └── push-sm-inventory.sh │ └── admin │ │ ├── node-exporter.nix │ │ ├── machine-state.nix │ │ └── salt │ │ └── minion.nix ├── programs │ └── yubikey.nix ├── misc │ └── label.nix ├── config │ ├── krb5.nix │ └── ldap.nix ├── nswrappers.nix └── list.nix ├── pkgs ├── nixpie │ ├── exec-tools │ │ ├── htop.sh │ │ ├── clear_bootcache.sh │ │ ├── dump_create.sh │ │ ├── dump.sh │ │ ├── clear_disk.sh │ │ ├── default.nix │ │ ├── set_bootcache.sh │ │ ├── vm_prepare_disk.sh │ │ └── install_image.sh │ ├── exam-start │ │ ├── default.nix │ │ └── exam-start │ └── nixpie-utils │ │ └── default.nix ├── overrides.nix ├── applications │ ├── networking │ │ └── cisco-packet-tracer │ │ │ └── default.nix │ ├── editors │ │ ├── geany │ │ │ └── default.nix │ │ └── tina │ │ │ └── default.nix │ ├── window-managers │ │ └── i3 │ │ │ └── lock.nix │ └── display-managers │ │ └── sddm │ │ └── sddm-epita-themes.nix ├── by-name │ ├── du │ │ └── dumptorrent │ │ │ └── package.nix │ └── sa │ │ └── salt │ │ └── package.nix ├── default.nix ├── nswrappers │ ├── ns-del-if │ ├── ns-destroy │ ├── ns-exec │ ├── ns-init │ ├── default.nix │ └── ns-add-if ├── development │ ├── compilers │ │ ├── clang32-alias │ │ │ └── default.nix │ │ ├── ocaml │ │ │ └── default.nix │ │ ├── reflex │ │ │ └── default.nix │ │ ├── ovm │ │ │ └── default.nix │ │ ├── havm │ │ │ └── default.nix │ │ ├── nolimips │ │ │ └── default.nix │ │ └── m68k │ │ │ └── default.nix │ ├── libraries │ │ ├── libfff │ │ │ └── default.nix │ │ └── spot-lrde │ │ │ └── default.nix │ ├── python-modules │ │ ├── dash-daq │ │ │ └── default.nix │ │ ├── missingno │ │ │ └── default.nix │ │ ├── dash-colorscales │ │ │ └── default.nix │ │ ├── strsimpy │ │ │ └── default.nix │ │ ├── jupyter_latex_envs │ │ │ └── default.nix │ │ ├── jupyter-dash │ │ │ └── default.nix │ │ ├── nbtranslate │ │ │ └── default.nix │ │ ├── dtale │ │ │ └── default.nix │ │ └── torchtext │ │ │ └── default.nix │ └── tools │ │ ├── dirbuster │ │ └── default.nix │ │ └── clang-format-epita │ │ └── default.nix ├── os-specific │ └── linux │ │ ├── pam_afs_session │ │ └── default.nix │ │ └── pam_subuid │ │ └── default.nix ├── overlays.nix ├── data │ └── documentation │ │ └── numpy │ │ └── default.nix ├── tools │ ├── ipxe-forge │ │ ├── forge.ipxe │ │ └── default.nix │ └── backup │ │ └── clonezilla │ │ └── default.nix └── top-level │ └── all-packages.nix ├── profiles ├── default.nix ├── list.nix ├── vm │ └── default.nix ├── local │ └── default.nix ├── tests │ └── default.nix ├── graphical │ └── default.nix ├── exam │ └── default.nix └── core │ └── default.nix ├── lib ├── default.nix ├── overlays-to-pkgs.nix └── make-squashfs.nix ├── renovate.json ├── images ├── special-args.nix ├── exam-prepa.nix ├── exam-france-ioi.nix ├── nixos-test.nix ├── nixos-nts.nix ├── nixos-docker.nix ├── exam-maths.nix ├── nixos-lan.nix ├── nixos-image.nix ├── exam-pie.nix ├── exam-majeures.nix ├── nixos-net.nix ├── nixos-prepa.nix ├── nixos-majeures.nix ├── france-ioi.nix ├── nixos-ssse.nix ├── nixos-summer-program.nix ├── nixos-immersion.nix ├── nixos-pie.nix ├── modules.nix ├── nixos-exec.nix ├── nixos-maths.nix ├── tty-issue.sh ├── docker.nix ├── nixos-gpgpu.nix ├── default.nix └── nixos-cnix-tty.nix ├── .pre-commit-config.yaml ├── tests ├── node-exporter.nix ├── spider.nix ├── nswrappers.nix ├── criterion.nix ├── dotnet.nix ├── gtest.nix ├── login-epita.nix └── default.nix ├── shell.nix ├── default.nix ├── .gitlab └── ci │ ├── utils.sh │ ├── generate-checks-pipeline.sh │ ├── generate-packages-pipeline.sh │ ├── templates.yml │ └── generate-images-pipeline.sh ├── README.md ├── .gitlab-ci.yml └── flake.nix /.envrc: -------------------------------------------------------------------------------- 1 | use_flake 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | result* 2 | *.qcow2 3 | -------------------------------------------------------------------------------- /modules/nixpie.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = builtins.attrValues (import ./list.nix); 3 | } 4 | -------------------------------------------------------------------------------- /modules/default.nix: -------------------------------------------------------------------------------- 1 | builtins.mapAttrs (_: moduleFile: import moduleFile) (import ./list.nix) 2 | -------------------------------------------------------------------------------- /pkgs/nixpie/exec-tools/htop.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | htop 6 | -------------------------------------------------------------------------------- /profiles/default.nix: -------------------------------------------------------------------------------- 1 | builtins.mapAttrs (_: moduleFile: import moduleFile) (import ./list.nix) 2 | -------------------------------------------------------------------------------- /lib/default.nix: -------------------------------------------------------------------------------- 1 | { lib }: 2 | 3 | { 4 | overlaysToPkgs = import ./overlays-to-pkgs.nix { inherit lib; }; 5 | } 6 | -------------------------------------------------------------------------------- /pkgs/overrides.nix: -------------------------------------------------------------------------------- 1 | { pkgsUnstable, pkgsMaster }: 2 | 3 | final: prev: { 4 | inherit (pkgsUnstable) 5 | httplib; 6 | } 7 | -------------------------------------------------------------------------------- /modules/packages/ocaml/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ./afit.nix 4 | ./dev.nix 5 | ./ssse.nix 6 | ]; 7 | } 8 | -------------------------------------------------------------------------------- /modules/services/x11/files/background.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/epita/nixpie/HEAD/modules/services/x11/files/background.jpg -------------------------------------------------------------------------------- /modules/services/networking/sshd/ssh_host_ed25519_key.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFrVxXm3IfAJtEO0zTWwW7OD7AVL2vAGjrmVQrjbw0B 2 | -------------------------------------------------------------------------------- /modules/packages/python/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ./core.nix 4 | ./dev.nix 5 | ./thl.nix 6 | ./ssse.nix 7 | ]; 8 | } 9 | -------------------------------------------------------------------------------- /profiles/list.nix: -------------------------------------------------------------------------------- 1 | { 2 | core = ./core; 3 | exam = ./exam; 4 | graphical = ./graphical; 5 | tests = ./tests; 6 | vm = ./vm; 7 | local = ./local; 8 | } 9 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "local>cri/iac/infrastructure//renovate-presets" 5 | ] 6 | } 7 | -------------------------------------------------------------------------------- /images/special-args.nix: -------------------------------------------------------------------------------- 1 | { self 2 | , system 3 | , ... 4 | }@inputs: 5 | 6 | imageName: 7 | { 8 | inherit inputs system; 9 | nixpie = self; 10 | inherit imageName; 11 | } 12 | -------------------------------------------------------------------------------- /images/exam-prepa.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | { 4 | imports = [ 5 | ../profiles/exam 6 | 7 | ./nixos-prepa.nix 8 | ]; 9 | 10 | cri.sddm.title = lib.mkForce "Exam Prepa"; 11 | } 12 | -------------------------------------------------------------------------------- /images/exam-france-ioi.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | { 4 | imports = [ 5 | ../profiles/exam 6 | 7 | ./france-ioi.nix 8 | ]; 9 | 10 | cri.sddm.title = lib.mkForce "Exam France IOI"; 11 | } 12 | -------------------------------------------------------------------------------- /images/nixos-test.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | imports = [ 5 | ../profiles/graphical 6 | ]; 7 | 8 | netboot.enable = true; 9 | cri.sddm.title = "NixOS Test."; 10 | 11 | cri.packages = { 12 | pkgs = { 13 | dev.enable = true; 14 | }; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /images/nixos-nts.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | { 4 | imports = [ 5 | ../profiles/graphical 6 | ]; 7 | 8 | netboot.enable = true; 9 | cri.sddm.title = "Nixos NTS"; 10 | 11 | cri.packages = { 12 | pkgs = { 13 | nts.enable = true; 14 | }; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: local 3 | hooks: 4 | - id: nixpkgs-fmt 5 | name: nixpkgs-fmt 6 | description: Format nix code with nixpkgs-fmt 7 | entry: nixpkgs-fmt 8 | language: system 9 | files: \.nix$ 10 | always_run: true 11 | -------------------------------------------------------------------------------- /images/nixos-docker.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | { 4 | imports = [ 5 | ../profiles/graphical 6 | ]; 7 | 8 | cri.packages = { 9 | pkgs = { 10 | docker.enable = true; 11 | dev.enable = true; 12 | }; 13 | }; 14 | 15 | netboot.enable = true; 16 | cri.sddm.title = "NixOS Docker"; 17 | } 18 | -------------------------------------------------------------------------------- /images/exam-maths.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | imports = [ 5 | ../profiles/graphical 6 | ../profiles/exam 7 | ./nixos-maths.nix 8 | ]; 9 | 10 | cri.packages = { 11 | pkgs = { 12 | latexExam.enable = true; 13 | }; 14 | }; 15 | 16 | cri.sddm.title = lib.mkForce "Exam Maths"; 17 | } 18 | -------------------------------------------------------------------------------- /pkgs/applications/networking/cisco-packet-tracer/default.nix: -------------------------------------------------------------------------------- 1 | { ciscoPacketTracer8, fetchurl, ... }: 2 | 3 | ciscoPacketTracer8.override (old: { 4 | packetTracerSource = fetchurl { 5 | url = "https://gitlab.cri.epita.fr/forge/infra/nixpie/-/package_files/19305/download"; 6 | hash = "sha256-bNK4iR35LSyti2/cR0gPwIneCFxPP+leuA1UUKKn9y0="; 7 | }; 8 | }) 9 | -------------------------------------------------------------------------------- /images/nixos-lan.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | 3 | { 4 | imports = [ 5 | ../profiles/graphical 6 | ]; 7 | 8 | netboot.enable = true; 9 | cri.sddm.title = "NixOS LAN"; 10 | 11 | cri.packages = { 12 | pkgs = { 13 | dev.enable = true; 14 | games.enable = true; 15 | }; 16 | }; 17 | 18 | programs.steam.enable = true; 19 | } 20 | -------------------------------------------------------------------------------- /pkgs/by-name/du/dumptorrent/package.nix: -------------------------------------------------------------------------------- 1 | { dumptorrent, fetchFromGitHub, ... }: 2 | 3 | dumptorrent.overrideAttrs (old: { 4 | src = fetchFromGitHub { 5 | owner = "TheGoblinHero"; 6 | repo = "dumptorrent"; 7 | rev = "bb4b64cb504357dc6ed51bdd27c06062019a268d"; 8 | hash = "sha256-oOOn6tSW796it6r9vzOCsM1H+8UN1ejAHZlrbdShg1U="; 9 | }; 10 | }) 11 | -------------------------------------------------------------------------------- /pkgs/default.nix: -------------------------------------------------------------------------------- 1 | { lib, pkgs }: 2 | 3 | let 4 | allPackagesNames = builtins.attrNames (import ./top-level/all-packages.nix); 5 | 6 | drvs = lib.filterAttrs (name: _: builtins.elem name allPackagesNames) pkgs; 7 | 8 | systemDrvs = lib.filterAttrs 9 | (_: drv: builtins.elem pkgs.system (drv.meta.platforms)) 10 | drvs; 11 | in 12 | systemDrvs 13 | -------------------------------------------------------------------------------- /tests/node-exporter.nix: -------------------------------------------------------------------------------- 1 | { 2 | # node-exporter should be enabled by default 3 | nodes.machine = { }; 4 | 5 | testScript = '' 6 | machine.wait_for_unit("prometheus-node-exporter.service") 7 | machine.wait_for_open_port(9100) 8 | machine.succeed("set -o pipefail; curl -vvv http://localhost:9100/metrics | grep nixpie_image") 9 | ''; 10 | } 11 | -------------------------------------------------------------------------------- /modules/packages/pkgs/octave.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.octave.enable = lib.options.mkEnableOption "octave package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.octave.enable { 9 | environment.systemPackages = with pkgs; [ 10 | octaveFull 11 | ]; 12 | }; 13 | } 14 | -------------------------------------------------------------------------------- /modules/services/x11/desktop-managers/xfce.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | options = { 7 | cri.xfce = { 8 | enable = mkEnableOption "Enable xfce"; 9 | }; 10 | }; 11 | 12 | config = mkIf config.cri.xfce.enable { 13 | services.xserver.desktopManager.xfce = { 14 | enable = true; 15 | }; 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /modules/packages/pkgs/cpp.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.cpp.enable = lib.options.mkEnableOption "dev C++ CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.cpp.enable { 9 | environment.systemPackages = with pkgs; [ 10 | httplib 11 | yaml-cpp 12 | ]; 13 | }; 14 | } 15 | -------------------------------------------------------------------------------- /shell.nix: -------------------------------------------------------------------------------- 1 | (import 2 | ( 3 | let 4 | lock = builtins.fromJSON (builtins.readFile ./flake.lock); 5 | in 6 | fetchTarball { 7 | url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; 8 | sha256 = lock.nodes.flake-compat.locked.narHash; 9 | } 10 | ) 11 | { 12 | src = ./.; 13 | }).shellNix 14 | -------------------------------------------------------------------------------- /default.nix: -------------------------------------------------------------------------------- 1 | (import 2 | ( 3 | let 4 | lock = builtins.fromJSON (builtins.readFile ./flake.lock); 5 | in 6 | fetchTarball { 7 | url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; 8 | sha256 = lock.nodes.flake-compat.locked.narHash; 9 | } 10 | ) 11 | { 12 | src = ./.; 13 | }).defaultNix 14 | -------------------------------------------------------------------------------- /modules/packages/ocaml/ssse.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.ocaml.ssse.enable = lib.options.mkEnableOption "ssse OCaml CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.ocaml.ssse.enable { 9 | cri.packages.ocamlPackages = with pkgs.ocamlPackages; [ 10 | lustre-v6 11 | ]; 12 | }; 13 | } 14 | -------------------------------------------------------------------------------- /modules/packages/pkgs/prolog.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.prolog.enable = lib.options.mkEnableOption "Prolog CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.prolog.enable { 9 | environment.systemPackages = with pkgs; [ 10 | swi-prolog 11 | gprolog 12 | ]; 13 | }; 14 | } 15 | -------------------------------------------------------------------------------- /modules/packages/pkgs/spider.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.spider.enable = lib.options.mkEnableOption "dev Spider CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.spider.enable { 9 | environment.systemPackages = with pkgs; [ 10 | libev 11 | openssl 12 | ]; 13 | }; 14 | } 15 | -------------------------------------------------------------------------------- /modules/packages/pkgs/js.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.js.enable = lib.options.mkEnableOption "dev JS CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.js.enable { 9 | environment.systemPackages = with pkgs; [ 10 | nodejs_20 11 | yarn 12 | #postman 13 | ]; 14 | }; 15 | } 16 | -------------------------------------------------------------------------------- /pkgs/by-name/sa/salt/package.nix: -------------------------------------------------------------------------------- 1 | { salt, python3, ... }: 2 | 3 | # FIXME: remove this when https://github.com/NixOS/nixpkgs/pull/430533 reaches 4 | # the release branch. It seems like nixpkgs maintainers are not aiming to 5 | # backport this so it will probably wait until 25.11. 6 | 7 | salt.override (old: { 8 | extraInputs = with python3.pkgs; [ 9 | cryptography 10 | ]; 11 | }) 12 | -------------------------------------------------------------------------------- /modules/packages/ocaml/dev.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.ocaml.dev.enable = lib.options.mkEnableOption "dev OCaml CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.ocaml.dev.enable { 9 | cri.packages.ocamlPackages = with pkgs.ocamlPackages; [ 10 | findlib 11 | graphics 12 | ]; 13 | }; 14 | } 15 | -------------------------------------------------------------------------------- /images/nixos-image.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | imports = [ 5 | ../profiles/graphical 6 | ]; 7 | 8 | netboot.enable = true; 9 | cri.sddm.title = "NixOS IMAGE"; 10 | cri.packages = { 11 | pkgs = { 12 | dev.enable = true; 13 | opengl.enable = true; 14 | }; 15 | }; 16 | 17 | environment.systemPackages = with pkgs; [ 18 | blender 19 | ]; 20 | } 21 | -------------------------------------------------------------------------------- /modules/packages/pkgs/asm.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.asm.enable = lib.options.mkEnableOption "dev ASM CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.asm.enable { 9 | environment.systemPackages = with pkgs; [ 10 | dosbox 11 | geany 12 | m68k 13 | nasm 14 | ]; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /modules/packages/pkgs/devFunctional.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.devFunctional.enable = lib.options.mkEnableOption "dev CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.devFunctional.enable { 9 | environment.systemPackages = with pkgs; [ 10 | ghc 11 | sbcl 12 | ]; 13 | }; 14 | } 15 | 16 | -------------------------------------------------------------------------------- /modules/packages/python/thl.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.python.thl.enable = lib.options.mkEnableOption "dev THL Python CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.python.thl.enable { 9 | cri.packages.pythonPackages.thl = pythonPackages: with pythonPackages; [ 10 | graphviz 11 | ]; 12 | }; 13 | } 14 | -------------------------------------------------------------------------------- /pkgs/nswrappers/ns-del-if: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | usage() { 4 | echo "Usage: ${0} NAME NS" 5 | } 6 | 7 | if [[ "${EUID}" -ne 0 ]]; then 8 | echo "This command need to be run as root." 9 | exit 1 10 | fi 11 | 12 | if [[ "${#}" -ne 2 ]]; then 13 | usage 14 | exit 1 15 | fi 16 | 17 | IFN="${1}" 18 | NS="${2}" 19 | 20 | ip netns exec "${NS}" ip link del "${IFN}-1-${NS}" 2> /dev/null 21 | -------------------------------------------------------------------------------- /modules/packages/pkgs/fuse.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.fuse.enable = lib.options.mkEnableOption "fuse CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.fuse.enable { 9 | environment.systemPackages = with pkgs; [ 10 | fuse 11 | fuse3 12 | fuseiso 13 | sshfs 14 | ]; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /modules/packages/pkgs/lisp.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.lisp.enable = lib.options.mkEnableOption "dev Lisp CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.lisp.enable { 9 | environment.systemPackages = with pkgs; [ 10 | sbcl 11 | clisp 12 | emacsPackages.slime 13 | ]; 14 | }; 15 | } 16 | -------------------------------------------------------------------------------- /modules/packages/pkgs/coq.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | # TICKET #39777 4 | { 5 | options = { 6 | cri.packages.pkgs.coq.enable = lib.options.mkEnableOption "dev Coq CRI package bundle"; 7 | }; 8 | 9 | config = lib.mkIf config.cri.packages.pkgs.coq.enable { 10 | environment.systemPackages = with pkgs; [ 11 | coq_8_20 12 | coqPackages_8_20.coqide 13 | ]; 14 | }; 15 | } 16 | -------------------------------------------------------------------------------- /modules/packages/pkgs/latex-exam.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.latexExam.enable = lib.options.mkEnableOption "LaTeX Exam CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.latexExam.enable { 9 | environment.systemPackages = with pkgs; [ 10 | lyx 11 | texlive.combined.scheme-basic 12 | ]; 13 | }; 14 | } 15 | -------------------------------------------------------------------------------- /modules/packages/python/core.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.python.core.enable = lib.options.mkEnableOption "core Python CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.python.core.enable { 9 | cri.packages.pythonPackages.core = pythonPackages: with pythonPackages; [ 10 | pip 11 | virtualenv 12 | ]; 13 | }; 14 | } 15 | -------------------------------------------------------------------------------- /pkgs/applications/editors/geany/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , m68k 3 | , geany 4 | }: 5 | 6 | geany.overrideAttrs (old: rec { 7 | postInstall = (old.postInstall or "") + '' 8 | cp ${m68k}/share/geany/filedefs/filetypes.asm $out/share/geany/filedefs/filetypes.asm 9 | ''; 10 | 11 | meta = with lib; old.meta // { 12 | # m68k is only supported on Linux 13 | platforms = platforms.linux; 14 | }; 15 | }) 16 | -------------------------------------------------------------------------------- /pkgs/nswrappers/ns-destroy: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | usage() { 4 | echo "Usage: ${0} NAME1 [NAME2...]" 5 | } 6 | 7 | if [[ "${EUID}" -ne 0 ]]; then 8 | echo "This command need to be run as root." 9 | exit 1 10 | fi 11 | 12 | if [[ "${#}" -eq 0 ]]; then 13 | usage 14 | exit 1 15 | fi 16 | 17 | for ns in "$@"; do 18 | ip netns delete "${ns}" &> /dev/null && echo "Namespace '${ns}' removed." 19 | done 20 | -------------------------------------------------------------------------------- /images/exam-pie.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | imports = [ 7 | ../profiles/graphical 8 | ../profiles/exam 9 | 10 | ./nixos-pie.nix 11 | ]; 12 | 13 | cri.packages = { 14 | pkgs = { 15 | latexExam.enable = true; 16 | thl.enable = mkForce false; 17 | tiger.enable = mkForce false; 18 | }; 19 | }; 20 | 21 | cri.sddm.title = lib.mkForce "Exam PIE"; 22 | } 23 | -------------------------------------------------------------------------------- /modules/packages/python/dev.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.python.dev.enable = lib.options.mkEnableOption "dev Python CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.python.dev.enable { 9 | cri.packages.pythonPackages.dev = pythonPackages: with pythonPackages; [ 10 | ipython 11 | pytest 12 | pyyaml 13 | ]; 14 | }; 15 | } 16 | -------------------------------------------------------------------------------- /pkgs/nswrappers/ns-exec: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | usage() { 4 | echo "Usage: ${0} NS CMD [ARG1 [ARG2...]]" 5 | } 6 | 7 | if [[ "${#}" -lt 2 ]]; then 8 | usage 9 | exit 1 10 | fi 11 | 12 | NS="${1}" 13 | shift 14 | 15 | exec ip netns exec "${NS}" capsh \ 16 | --caps="cap_net_admin,cap_net_raw+eip cap_setpcap,cap_setuid,cap_setgid+ep" \ 17 | --keep=1 --user="$(logname)" --addamb="cap_net_admin,cap_net_raw" -- -c "${*}" 18 | -------------------------------------------------------------------------------- /modules/packages/pkgs/afit.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.afit.enable = lib.options.mkEnableOption "dev AFIT CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.afit.enable { 9 | cri.packages.ocaml.afit.enable = lib.mkDefault true; 10 | 11 | environment.systemPackages = with pkgs; [ 12 | dune_2 13 | gmp 14 | ]; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /pkgs/applications/window-managers/i3/lock.nix: -------------------------------------------------------------------------------- 1 | { stdenv, lib, i3lock, systemd }: 2 | 3 | i3lock.overrideAttrs (old: rec { 4 | propagatedBuildInputs = (old.propagatedBuildInputs or [ ]) ++ [ systemd ]; 5 | 6 | patches = [ 7 | ./i3lock-epita.patch 8 | ]; 9 | 10 | postPatch = '' 11 | sed -i -e 's:login:system-auth:' pam/i3lock 12 | ''; 13 | 14 | meta = with lib; { 15 | platforms = platforms.linux; 16 | }; 17 | }) 18 | -------------------------------------------------------------------------------- /pkgs/nixpie/exec-tools/clear_bootcache.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | clear_partition() { 6 | label="${1}" 7 | partition="/dev/disk/by-partlabel/${label}" 8 | 9 | if [ ! -b "${partition}" ]; then 10 | echo "No ${label} partition found. Exiting..." 11 | return 12 | fi 13 | 14 | mkfs.ext4 -F -L "${label}" "${partition}" 15 | } 16 | 17 | clear_partition bootcache 18 | clear_partition nix-store-rw 19 | -------------------------------------------------------------------------------- /images/exam-majeures.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | { 4 | imports = [ 5 | ../profiles/graphical 6 | ../profiles/exam 7 | 8 | ./nixos-majeures.nix 9 | ]; 10 | 11 | cri.packages = { 12 | pkgs = { 13 | latexExam.enable = true; 14 | libvirt.enable = lib.mkForce false; 15 | libvirt.enableDiskPartition = lib.mkForce false; 16 | }; 17 | }; 18 | 19 | cri.sddm.title = lib.mkForce "Exam Majeures"; 20 | } 21 | -------------------------------------------------------------------------------- /modules/packages/pkgs/opengl.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.opengl.enable = lib.options.mkEnableOption "OpenGL CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.opengl.enable { 9 | environment.systemPackages = with pkgs; [ 10 | blender 11 | freeglut 12 | glew 13 | glfw 14 | libGL 15 | libGLU 16 | ]; 17 | }; 18 | } 19 | -------------------------------------------------------------------------------- /modules/services/networking/sshd/ssh_host_ed25519_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 3 | QyNTUxOQAAACCBa1cV5tyHwCbRDtM01sFuzg+wFS9rwBo65lUK428NAQAAAIirnYkpq52J 4 | KQAAAAtzc2gtZWQyNTUxOQAAACCBa1cV5tyHwCbRDtM01sFuzg+wFS9rwBo65lUK428NAQ 5 | AAAEDQTufxR7T0nbRcabPRlVqfK3drSKBwHiDgfg2XEbnYjoFrVxXm3IfAJtEO0zTWwW7O 6 | D7AVL2vAGjrmVQrjbw0BAAAAAAECAwQF 7 | -----END OPENSSH PRIVATE KEY----- 8 | -------------------------------------------------------------------------------- /pkgs/development/compilers/clang32-alias/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , runCommand 3 | , pkgsi686Linux 4 | }: 5 | 6 | let 7 | clang32 = pkgsi686Linux.llvmPackages_18.clang; 8 | in 9 | (runCommand "clang32-alias" { } '' 10 | mkdir -p $out/bin 11 | for f in ${clang32}/bin/* 12 | do 13 | ln -s $f $out/bin/$(basename $f)32 14 | done 15 | '').overrideAttrs (old: { 16 | meta = with lib; { 17 | platforms = platforms.unix; 18 | }; 19 | }) 20 | -------------------------------------------------------------------------------- /modules/packages/pkgs/thl.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.thl.enable = lib.options.mkEnableOption "dev THL CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.thl.enable { 9 | cri.packages.python.thl.enable = lib.mkDefault true; 10 | 11 | environment.systemPackages = with pkgs; [ 12 | bison 13 | flex 14 | graphviz 15 | ]; 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /profiles/vm/default.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | { 4 | netboot = { 5 | home.enable = true; 6 | swap.enable = true; 7 | fallbackNameservers = [ "1.1.1.1" "1.0.0.1" ]; 8 | }; 9 | 10 | cri.users.checkEpitaUserAllowed = false; 11 | 12 | networking.nameservers = lib.mkForce [ "1.1.1.1" "1.0.0.1" ]; 13 | 14 | cri = { 15 | idle-shutdown.enable = lib.mkForce false; 16 | sm-inventory-agent.enable = lib.mkForce false; 17 | }; 18 | } 19 | -------------------------------------------------------------------------------- /modules/packages/pkgs/prpa.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | # Packages needed for the Parallel Programming course at EPITA 3 | 4 | { 5 | options = { 6 | cri.packages.pkgs.prpa.enable = lib.options.mkEnableOption "dev PRPA CRI package bundle"; 7 | }; 8 | 9 | config = lib.mkIf config.cri.packages.pkgs.prpa.enable { 10 | environment.systemPackages = with pkgs; [ 11 | SDL2 12 | perf-tools 13 | tbb 14 | ]; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /pkgs/development/compilers/ocaml/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , symlinkJoin 3 | , makeWrapper 4 | , ocamlPackages 5 | , ocaml 6 | }: 7 | 8 | symlinkJoin rec { 9 | inherit (ocaml) name meta; 10 | version = lib.getVersion ocaml; 11 | 12 | paths = [ ocaml ]; 13 | buildInputs = [ makeWrapper ]; 14 | 15 | postBuild = '' 16 | wrapProgram $out/bin/ocaml \ 17 | --add-flags "-I ${ocamlPackages.findlib}/lib/ocaml/${version}/site-lib" 18 | ''; 19 | } 20 | -------------------------------------------------------------------------------- /modules/packages/pkgs/ocaml.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.ocaml.enable = lib.options.mkEnableOption "dev OCaml CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.ocaml.enable { 9 | cri.packages.ocaml.dev.enable = lib.mkDefault true; 10 | 11 | environment.systemPackages = with pkgs; [ 12 | ocaml 13 | opam 14 | ocaml-top 15 | ]; 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /pkgs/nswrappers/ns-init: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | usage() { 4 | echo "Usage: ${0} NAME1 [NAME2...]" 5 | } 6 | 7 | if [[ "${EUID}" -ne 0 ]]; then 8 | echo "This command need to be run as root." 9 | exit 1 10 | fi 11 | 12 | if [[ "${#}" -eq 0 ]]; then 13 | usage 14 | exit 1 15 | fi 16 | 17 | for ns in "$@"; do 18 | # Cleanup 19 | ip netns delete "${ns}" &> /dev/null 20 | 21 | ip netns add "${ns}" && echo "Namespace '${ns}' created." 22 | done 23 | -------------------------------------------------------------------------------- /images/nixos-net.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | imports = [ 5 | ../profiles/graphical 6 | ]; 7 | 8 | netboot.enable = true; 9 | cri.sddm.title = "NixOS NET"; 10 | 11 | cri.packages = { 12 | pkgs = { 13 | dev.enable = true; 14 | docker.enable = true; 15 | net.enable = true; 16 | }; 17 | }; 18 | 19 | environment.systemPackages = with pkgs; [ ciscoPacketTracer8 ]; 20 | 21 | cri.nswrappers.enable = true; 22 | } 23 | -------------------------------------------------------------------------------- /modules/services/x11/window-managers/i3.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | options = { 7 | cri.i3 = { 8 | enable = mkEnableOption "Enable i3"; 9 | }; 10 | }; 11 | 12 | config = mkIf config.cri.i3.enable { 13 | services.xserver.windowManager.i3 = { 14 | enable = true; 15 | extraSessionCommands = '' 16 | ${pkgs.feh}/bin/feh --bg-scale ${../files/background.jpg} 17 | ''; 18 | }; 19 | }; 20 | } 21 | -------------------------------------------------------------------------------- /modules/programs/yubikey.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | options = { 7 | cri.yubikey = { 8 | enable = mkEnableOption "Enable yubikey-related tools"; 9 | }; 10 | }; 11 | 12 | config = mkIf config.cri.yubikey.enable { 13 | services.pcscd.enable = true; 14 | 15 | environment.systemPackages = with pkgs; [ 16 | yubikey-manager 17 | yubikey-personalization 18 | yubioath-flutter 19 | ]; 20 | }; 21 | } 22 | -------------------------------------------------------------------------------- /modules/packages/pkgs/java.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.java.enable = lib.options.mkEnableOption "dev Java CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.java.enable { 9 | environment.systemPackages = with pkgs; [ 10 | jetbrains.idea-ultimate 11 | maven 12 | ]; 13 | 14 | programs.java = { 15 | enable = true; 16 | package = pkgs.jdk; 17 | }; 18 | }; 19 | } 20 | -------------------------------------------------------------------------------- /modules/packages/pkgs/sql.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.sql.enable = lib.options.mkEnableOption "dev SQL CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.sql.enable { 9 | environment.systemPackages = with pkgs; [ 10 | jetbrains.datagrip 11 | postgresql 12 | sqlfluff 13 | ]; 14 | 15 | environment.pathsToLink = [ 16 | "/share/postgresql" 17 | ]; 18 | }; 19 | } 20 | -------------------------------------------------------------------------------- /modules/packages/pkgs/games.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.games.enable = lib.options.mkEnableOption "games CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.games.enable { 9 | environment.systemPackages = with pkgs; [ 10 | crispyDoom 11 | freeciv 12 | nethack 13 | openttd 14 | superTuxKart 15 | teeworlds 16 | warsow 17 | wesnoth 18 | ]; 19 | }; 20 | } 21 | -------------------------------------------------------------------------------- /modules/services/x11/redshift.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | options = { 7 | cri.redshift = { 8 | enable = mkEnableOption "Whether to enable redshift."; 9 | }; 10 | }; 11 | 12 | config = mkIf config.cri.redshift.enable { 13 | services.redshift = { 14 | enable = true; 15 | }; 16 | 17 | # Used by redshift to determine sunrise and sunset. 18 | location = { 19 | latitude = 48.87951; 20 | longitude = 2.28513; 21 | }; 22 | }; 23 | } 24 | -------------------------------------------------------------------------------- /profiles/local/default.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | netboot.enable = mkForce false; 7 | 8 | boot.loader = { 9 | systemd-boot.enable = true; 10 | efi.canTouchEfiVariables = true; 11 | }; 12 | 13 | fileSystems."/" = { 14 | device = "/dev/disk/by-label/nixos-root"; 15 | fsType = "ext4"; 16 | }; 17 | fileSystems."/boot" = { 18 | device = "/dev/disk/by-label/EFI"; 19 | fsType = "vfat"; 20 | }; 21 | swapDevices = [ 22 | { device = "/dev/disk/by-label/nixos-swap"; } 23 | ]; 24 | } 25 | -------------------------------------------------------------------------------- /modules/packages/pkgs/r.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | let 4 | nixpieRPackages = with pkgs.rPackages; [ 5 | FactoMineR 6 | ]; 7 | in 8 | { 9 | options = { 10 | cri.packages.pkgs.r.enable = lib.options.mkEnableOption "dev R CRI package bundle"; 11 | }; 12 | 13 | config = lib.mkIf config.cri.packages.pkgs.r.enable { 14 | environment.systemPackages = with pkgs; [ 15 | (rWrapper.override { packages = nixpieRPackages; }) 16 | (rstudioWrapper.override { packages = nixpieRPackages; }) 17 | ]; 18 | }; 19 | } 20 | -------------------------------------------------------------------------------- /images/nixos-prepa.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | imports = [ 7 | ../profiles/graphical 8 | ]; 9 | 10 | netboot.enable = true; 11 | cri.sddm.title = "NixOS Prepa"; 12 | 13 | cri.packages = { 14 | pkgs = { 15 | dev.enable = true; 16 | python.enable = true; 17 | ocaml.enable = true; 18 | octave.enable = true; 19 | asm.enable = true; 20 | gtk.enable = true; 21 | rust.enable = true; 22 | sdl.enable = true; 23 | thl.enable = true; 24 | }; 25 | }; 26 | } 27 | -------------------------------------------------------------------------------- /modules/services/hardware/bluetooth.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | options = { 7 | cri.bluetooth = { 8 | enable = mkEnableOption "Whether to enable bluetooth."; 9 | }; 10 | }; 11 | 12 | config = mkIf config.cri.bluetooth.enable { 13 | hardware.bluetooth = { 14 | enable = true; 15 | package = pkgs.bluez; 16 | }; 17 | 18 | services.blueman.enable = true; 19 | 20 | environment.systemPackages = with pkgs; [ 21 | bluez-tools 22 | blueberry 23 | ]; 24 | }; 25 | } 26 | -------------------------------------------------------------------------------- /pkgs/development/libraries/libfff/default.nix: -------------------------------------------------------------------------------- 1 | { lib, stdenv, fetchFromGitHub }: 2 | 3 | stdenv.mkDerivation rec { 4 | pname = "fff"; 5 | version = "1.1"; 6 | 7 | src = fetchFromGitHub { 8 | owner = "meekrosoft"; 9 | repo = "fff"; 10 | rev = "v${version}"; 11 | sha256 = "sha256-EY/Ay44+dlJ41ftioCLylcN0g4WLhOLVeskgmsUwQDQ="; 12 | }; 13 | 14 | phases = [ "installPhase" ]; 15 | 16 | installPhase = '' 17 | install -Dm755 $src/fff.h $out/include/fff.h 18 | ''; 19 | 20 | meta = with lib; { 21 | platforms = platforms.unix; 22 | }; 23 | } 24 | -------------------------------------------------------------------------------- /modules/services/audio/alsa.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | options = { 7 | cri.sound = { 8 | enable = mkEnableOption "Whether to enable ALSA sound."; 9 | }; 10 | }; 11 | 12 | config = mkIf config.cri.sound.enable { 13 | services.pipewire = { 14 | enable = true; 15 | alsa.enable = true; 16 | alsa.support32Bit = true; 17 | pulse.enable = true; 18 | }; 19 | 20 | environment.systemPackages = with pkgs; [ 21 | pavucontrol 22 | pa_applet 23 | paprefs 24 | ]; 25 | }; 26 | } 27 | -------------------------------------------------------------------------------- /pkgs/development/python-modules/dash-daq/default.nix: -------------------------------------------------------------------------------- 1 | { lib, buildPythonPackage, fetchPypi }: 2 | 3 | buildPythonPackage rec { 4 | pname = "dash_daq"; 5 | version = "0.5.0"; 6 | 7 | src = fetchPypi { 8 | inherit pname version; 9 | hash = "sha256-odhbZ5n3uIVlL7xErr21jEElRhao01C5Q77rQq3kJWo="; 10 | }; 11 | 12 | propagatedBuildInputs = [ 13 | ]; 14 | 15 | doCheck = false; 16 | 17 | meta = with lib; { 18 | homepage = "https://github.com/plotly/dash-daq"; 19 | description = "DAQ components for Dash."; 20 | license = licenses.mit; 21 | }; 22 | } 23 | -------------------------------------------------------------------------------- /modules/packages/pkgs/python.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.python.enable = lib.options.mkEnableOption "dev Python CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.python.enable { 9 | environment.systemPackages = with pkgs; [ 10 | (writeScriptBin "python-doc" '' 11 | echo "Opening Python documentation..." 12 | ${xdg-utils}/bin/xdg-open "$(find "${python3.doc}" -maxdepth 5 -name index.html)" >/dev/null 2>/dev/null /dev/null 2>/dev/null 6 | #include 7 | 8 | int main() { 9 | return 0; 10 | } 11 | ''; 12 | in 13 | { 14 | nodes.machine = { config, pkgs, ... }: { 15 | cri.packages.pkgs = { 16 | dev.enable = true; 17 | spider.enable = true; 18 | }; 19 | }; 20 | 21 | testScript = '' 22 | start_all() 23 | machine.succeed("g++ -o success ${testSuccess} -lssl -lcrypto -lev --std=c++17 -Wall -Werror -Wextra") 24 | machine.succeed("./success") 25 | ''; 26 | } 27 | 28 | -------------------------------------------------------------------------------- /images/france-ioi.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | let 4 | franceIOIPkgs = with pkgs; [ 5 | codeblocksFull 6 | ddd 7 | eclipses.eclipse-sdk 8 | gedit 9 | gource 10 | libsForQt5.kate 11 | sublime3 12 | vscode 13 | ]; 14 | in 15 | { 16 | imports = [ 17 | ../profiles/graphical 18 | ]; 19 | 20 | netboot.enable = true; 21 | cri.sddm.title = "France IOI"; 22 | cri.xfce.enable = true; 23 | 24 | environment.systemPackages = franceIOIPkgs; 25 | 26 | cri.packages = { 27 | pkgs = { 28 | dev.enable = true; 29 | java.enable = true; 30 | }; 31 | }; 32 | } 33 | -------------------------------------------------------------------------------- /pkgs/development/python-modules/dash-colorscales/default.nix: -------------------------------------------------------------------------------- 1 | { lib, buildPythonPackage, fetchPypi }: 2 | 3 | buildPythonPackage rec { 4 | pname = "dash_colorscales"; 5 | version = "0.0.4"; 6 | 7 | src = fetchPypi { 8 | inherit pname version; 9 | hash = "sha256-4uuMeOcC0D6cE/t8qIjtICFSSU27BT9aq2QXtvbRn2M="; 10 | }; 11 | 12 | propagatedBuildInputs = [ 13 | ]; 14 | 15 | doCheck = false; 16 | 17 | meta = with lib; { 18 | homepage = "https://github.com/plotly/dash-colorscales"; 19 | description = "Add a fancy colorscale picker to your Dash apps"; 20 | license = licenses.mit; 21 | }; 22 | } 23 | -------------------------------------------------------------------------------- /tests/nswrappers.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | nodes.machine = { config, pkgs, ... }: { 5 | cri.nswrappers.enable = true; 6 | 7 | users.users.alice = { 8 | isNormalUser = true; 9 | group = "students"; 10 | }; 11 | users.groups.students = { 12 | gid = 15000; 13 | }; 14 | }; 15 | 16 | testScript = '' 17 | start_all() 18 | machine.succeed("su - alice -c 'sudo ns-init test-ns'") 19 | machine.succeed("ip netns ls | grep test-ns") 20 | machine.succeed("su - epita -c 'sudo ns-init test2-ns'") 21 | machine.succeed("ip netns ls | grep test2-ns") 22 | ''; 23 | } 24 | -------------------------------------------------------------------------------- /images/nixos-ssse.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | { 4 | imports = [ ../profiles/graphical ]; 5 | 6 | netboot.enable = true; 7 | cri.sddm.title = "NixOS SSSE"; 8 | 9 | cri.packages = { 10 | python.core.enable = true; 11 | python.ssse.enable = true; 12 | ocaml.ssse.enable = true; 13 | pkgs = { 14 | dev.enable = true; 15 | podman.enable = true; # FORGE #65303 16 | java.enable = true; 17 | js.enable = true; 18 | ocaml.enable = true; 19 | ssse.enable = true; 20 | libvirt.enable = true; 21 | libvirt.enableDiskPartition = true; 22 | }; 23 | }; 24 | } 25 | -------------------------------------------------------------------------------- /modules/packages/pkgs/scala.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.scala.enable = lib.options.mkEnableOption "dev Scala CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.scala.enable { 9 | cri.packages.pkgs = { 10 | java.enable = true; 11 | }; 12 | 13 | environment.systemPackages = with pkgs; [ 14 | sbt 15 | (vscode-with-extensions.override { 16 | vscode = vscodium; 17 | vscodeExtensions = with vscode-extensions; [ 18 | scala-lang.scala 19 | ]; 20 | }) 21 | ]; 22 | }; 23 | } 24 | -------------------------------------------------------------------------------- /profiles/tests/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | networking = { 7 | hostName = mkForce "machine"; 8 | useDHCP = mkForce false; 9 | }; 10 | 11 | system.name = mkForce config.networking.hostName; 12 | 13 | cri = { 14 | machine-state.enable = mkForce false; 15 | salt.enable = mkForce false; 16 | users.checkEpitaUserAllowed = false; 17 | }; 18 | 19 | # Disabled in tests by default in NixOS, but we enable it in 20 | # profiles/core so it conflicts. Let's just get rid of it, we don't 21 | # test it anyway 22 | documentation = { 23 | enable = mkForce false; 24 | }; 25 | } 26 | -------------------------------------------------------------------------------- /pkgs/development/python-modules/strsimpy/default.nix: -------------------------------------------------------------------------------- 1 | { lib, buildPythonPackage, fetchPypi }: 2 | 3 | buildPythonPackage rec { 4 | pname = "strsimpy"; 5 | version = "0.2.1"; 6 | 7 | src = fetchPypi { 8 | inherit pname version; 9 | hash = "sha256-CELrV/evhsiCpZobyHIewlgKJn5WP9BQPO0pcgQDcsk="; 10 | }; 11 | 12 | propagatedBuildInputs = [ 13 | ]; 14 | 15 | doCheck = false; 16 | 17 | meta = with lib; { 18 | homepage = "https://github.com/luozhouyang/python-string-similarity"; 19 | description = "A library implementing different string similarity and distance measures"; 20 | license = licenses.bsd3; 21 | }; 22 | } 23 | -------------------------------------------------------------------------------- /images/nixos-summer-program.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | { 3 | imports = [ 4 | ../profiles/graphical 5 | ]; 6 | 7 | netboot.enable = true; 8 | cri.sddm.title = "NixOS Summer Program"; 9 | 10 | services.udev.extraRules = '' 11 | SUBSYSTEMS=="usb", ATTRS{idProduct}=="7523", ATTRS{idVendor}=="1a86", SYMLINK+="espcam", GROUP="users" 12 | ''; 13 | 14 | cri = { 15 | xfce.enable = true; 16 | 17 | packages.pkgs = { 18 | dev.enable = true; 19 | docker.enable = true; 20 | net.enable = true; 21 | }; 22 | }; 23 | 24 | environment.systemPackages = with pkgs; [ 25 | arduino 26 | ]; 27 | } 28 | 29 | 30 | -------------------------------------------------------------------------------- /modules/packages/pkgs/docker.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.docker.enable = lib.options.mkEnableOption "Docker package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.docker.enable { 9 | environment.systemPackages = with pkgs; [ 10 | docker-compose 11 | ]; 12 | 13 | virtualisation.docker.enable = true; 14 | 15 | environment.etc."security/group.conf".text = '' 16 | *;*;*;Al0000-2400;docker 17 | ''; 18 | security.pam.services.sddm.text = lib.mkBefore '' 19 | auth required pam_group.so 20 | ''; 21 | }; 22 | } 23 | -------------------------------------------------------------------------------- /modules/packages/pkgs/gtk.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.gtk.enable = lib.options.mkEnableOption "dev GTK CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.gtk.enable { 9 | environment.systemPackages = with pkgs; [ 10 | atk 11 | cairo 12 | gdk-pixbuf 13 | glade 14 | glib 15 | gtk3 16 | gtk3-x11 17 | harfbuzzFull 18 | pango 19 | zlib 20 | ]; 21 | 22 | environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${pkgs.gtk3}/share/gsettings-schemas/${pkgs.gtk3.name}/glib-2.0/schemas"; 23 | }; 24 | } 25 | -------------------------------------------------------------------------------- /modules/packages/pkgs/tiger.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.tiger.enable = lib.options.mkEnableOption "dev Tiger CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.tiger.enable { 9 | environment.systemPackages = with pkgs; [ 10 | autoconf 11 | automake 12 | bison 13 | boost 14 | flex 15 | reflex 16 | gnum4 17 | gnumake 18 | havm 19 | libtool 20 | libxslt 21 | llvmPackages_18.llvm 22 | nolimips 23 | perl 24 | clang32-alias 25 | bear 26 | ovm 27 | ]; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /images/nixos-immersion.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | imports = [ 5 | ../profiles/graphical 6 | ]; 7 | 8 | netboot.enable = true; 9 | cri.sddm.title = "NixOS Immersion"; 10 | cri.xfce.enable = true; 11 | 12 | environment.systemPackages = with pkgs; [ 13 | gedit 14 | gimp 15 | weka 16 | ]; 17 | 18 | environment.pathsToLink = [ "/share/weka" ]; 19 | 20 | cri.packages.pythonPackages.nixosPieCustom = p: with p; [ 21 | opencv4 22 | matplotlib 23 | numpy 24 | jupyter 25 | ]; 26 | 27 | cri.packages = { 28 | pkgs = { 29 | dev.enable = true; 30 | csharp.enable = true; 31 | }; 32 | }; 33 | } 34 | -------------------------------------------------------------------------------- /modules/packages/pkgs/sdl.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.sdl.enable = lib.options.mkEnableOption "dev SDL CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.sdl.enable { 9 | environment.systemPackages = with pkgs; [ 10 | # v1 11 | SDL 12 | SDL_Pango 13 | SDL_gfx 14 | SDL_image 15 | SDL_mixer 16 | SDL_net 17 | SDL_ttf 18 | 19 | # v2 20 | SDL2 21 | SDL2_image 22 | SDL2_mixer 23 | SDL2_net 24 | SDL2_ttf 25 | 26 | libGLU 27 | 28 | alsa-lib 29 | libpulseaudio 30 | ]; 31 | }; 32 | } 33 | -------------------------------------------------------------------------------- /pkgs/development/python-modules/jupyter_latex_envs/default.nix: -------------------------------------------------------------------------------- 1 | { lib, buildPythonPackage, fetchPypi, nbconvert, notebook, traitlets }: 2 | 3 | buildPythonPackage rec { 4 | pname = "jupyter_latex_envs"; 5 | version = "1.4.6"; 6 | 7 | src = fetchPypi { 8 | inherit pname version; 9 | sha256 = "sha256-Bwox6y3EiLupg5FYeafCk5JHv1w7Zps5i9s2qbU0OHI="; 10 | }; 11 | 12 | propagatedBuildInputs = [ nbconvert notebook traitlets ]; 13 | 14 | doCheck = false; 15 | 16 | meta = with lib; { 17 | homepage = "https://github.com/jfbercher/jupyter_latex_envs"; 18 | description = "(some) LaTeX environments for Jupyter notebook"; 19 | license = licenses.bsd3; 20 | }; 21 | } 22 | -------------------------------------------------------------------------------- /modules/services/network-filesystems/openafs/client.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, inputs, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | options = { 7 | cri.afs = { 8 | enable = mkEnableOption "Enable default users"; 9 | }; 10 | }; 11 | 12 | config = mkIf config.cri.afs.enable { 13 | cri.krb5.enable = true; 14 | 15 | services.openafsClient = { 16 | enable = true; 17 | cellName = "cri.epita.fr"; 18 | cache = { 19 | diskless = true; 20 | }; 21 | fakestat = true; 22 | packages = { 23 | module = config.boot.kernelPackages.openafs; 24 | programs = getBin inputs.pkgset.pkgsUnstable.openafs; 25 | }; 26 | }; 27 | }; 28 | } 29 | -------------------------------------------------------------------------------- /modules/packages/ocaml/afit.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.ocaml.afit.enable = lib.options.mkEnableOption "dev AFIT CRI OCaml package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.ocaml.afit.enable { 9 | cri.packages.ocamlPackages = with pkgs.ocamlPackages; [ 10 | alcotest 11 | astring 12 | cmdliner 13 | fmt 14 | junit 15 | junit_alcotest 16 | ocaml-syntax-shims 17 | ocamlbuild 18 | ptime 19 | re 20 | result 21 | seq 22 | stdlib-shims 23 | topkg 24 | tyxml 25 | uchar 26 | uuidm 27 | uutf 28 | zarith 29 | ]; 30 | }; 31 | } 32 | -------------------------------------------------------------------------------- /pkgs/nixpie/exec-tools/dump_create.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | IMAGE_NAME=$(cat /proc/cmdline | sed "s/.*dump_image=\([^ ]*\).*/\1/") 6 | DISK_NAME=$(cat /proc/cmdline | sed "s/.*dump_disk=\([^ ]*\).*/\1/") 7 | 8 | NFS_SERVER="${NFS_SERVER:-clone-store.pie.cri.epita.fr}" 9 | NFS_DIR="${NFS_DIR:-/}" 10 | 11 | echo "Creating dump ${IMAGE_NAME}..." 12 | 13 | echo "Mounting ${NFS_SERVER}:${NFS_DIR}..." 14 | mkdir -p /home/partimag 15 | mount -t nfs "${NFS_SERVER}:${NFS_DIR}" /home/partimag 16 | echo "Finished mounting" 17 | 18 | echo "Creating dump..." 19 | clonezilla ocs-sr -gs -j2 -rm-win-swap-hib -z2p -scr -p choose savedisk "${IMAGE_NAME}" "${DISK_NAME}" 20 | echo "Dump done" 21 | -------------------------------------------------------------------------------- /pkgs/development/python-modules/jupyter-dash/default.nix: -------------------------------------------------------------------------------- 1 | { lib, buildPythonPackage, fetchPypi, flask, ipykernel, ipython, retrying, requests, ansi2html, dash }: 2 | 3 | buildPythonPackage rec { 4 | pname = "jupyter-dash"; 5 | version = "0.4.1"; 6 | 7 | src = fetchPypi { 8 | inherit pname version; 9 | sha256 = "sha256-xkxA3Zp4TKTy32OnuGnDxGPE/qB8VHTOQbfolj5oPZQ="; 10 | }; 11 | 12 | propagatedBuildInputs = [ flask ipykernel ipython retrying requests ansi2html dash ]; 13 | 14 | doCheck = false; 15 | 16 | meta = with lib; { 17 | homepage = "https://github.com/plotly/jupyter-dash"; 18 | description = "Dash support for the Jupyter notebook interface"; 19 | license = licenses.mit; 20 | }; 21 | } 22 | -------------------------------------------------------------------------------- /pkgs/development/python-modules/nbtranslate/default.nix: -------------------------------------------------------------------------------- 1 | { lib, buildPythonPackage, fetchFromGitHub, nbformat, polib }: 2 | 3 | buildPythonPackage rec { 4 | pname = "nbtranslate"; 5 | version = "20161213"; 6 | 7 | src = fetchFromGitHub { 8 | owner = "devrt"; 9 | repo = "nbtranslate"; 10 | rev = "5bfbfac5213158475ef6ff41101c25ff14b9cc6c"; 11 | sha256 = "sha256-4X+MN5IO/o4wYt4Qn8TWP3y3tdcQZxoVOeMZHzvzIOg="; 12 | }; 13 | 14 | propagatedBuildInputs = [ nbformat polib ]; 15 | 16 | doCheck = false; 17 | 18 | meta = with lib; { 19 | homepage = "https://github.com/devrt/nbtranslate"; 20 | description = "Translate content of jupyter notebook using gettext tools"; 21 | license = licenses.bsd3; 22 | }; 23 | } 24 | -------------------------------------------------------------------------------- /modules/misc/label.nix: -------------------------------------------------------------------------------- 1 | { config, lib, inputs, ... }: 2 | 3 | with lib; 4 | let 5 | cfg = config.system.nixos; 6 | 7 | mkFlakeVersion = flake: "${flake.shortRev or "dirty"}"; 8 | 9 | flakes = { 10 | inherit (inputs) 11 | nixpkgs 12 | nixpkgsUnstable 13 | nixpkgsMaster 14 | ; 15 | }; 16 | 17 | versions = mapAttrsToList (name: flake: "${name}-${mkFlakeVersion flake}") flakes; 18 | 19 | nixpieLabel = "nixpie-" + (maybeEnv "NIXPIE_LABEL_VERSION" "pregit"); 20 | in 21 | { 22 | # We must assign a very high priority because `nixos-test-base` is overriding 23 | # this value with `lib.mkForce` when running checks. 24 | system.nixos.label = mkOverride 25 (concatStringsSep "_" ([ nixpieLabel ] ++ versions)); 25 | } 26 | -------------------------------------------------------------------------------- /lib/overlays-to-pkgs.nix: -------------------------------------------------------------------------------- 1 | { lib }: 2 | 3 | overlaysAttrs: pkgs: 4 | let 5 | overlayDrvs = lib.mapAttrs (_: v: v pkgs pkgs) overlaysAttrs; 6 | 7 | # some derivations fail to evaluate, simply remove them so we can move on 8 | filterDrvs = lib.filterAttrsRecursive 9 | (_: v: (builtins.tryEval v).success) 10 | overlayDrvs; 11 | 12 | drvs = lib.collect (lib.isDerivation) filterDrvs; 13 | 14 | # don't bother exporting a package if it's platform isn't supported 15 | systemDrvs = builtins.filter 16 | (drv: builtins.elem 17 | pkgs.system 18 | (drv.meta.platforms or [ ])) 19 | drvs; 20 | 21 | nvPairs = map 22 | (drv: lib.nameValuePair (lib.getName drv) drv) 23 | systemDrvs; 24 | in 25 | builtins.listToAttrs nvPairs 26 | -------------------------------------------------------------------------------- /modules/services/networking/sshd/ssh_host_rsa_key.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjER9A8ADQxoocezxqt9MKNOTwXn9+A1khz4OjXVqxEcs0xevylh4caex2kKuErnkmaHb2LEp+/NrYbQiT6txDVqcppUvHHdINvZgcpmHBk6B3wC84Rt6LNTm8VSdk13KSXEb238Vj80qbomHA+1EjCoZooQwUQWqFz4aA67vRj73POPmGeBktE/9ZgQmi0gi6wDJgXR5ZBxZKkENXVepObC5lP91MB1FpHITJp/4+7uFX8cMdRGlPQevtEaoQM9CLZQMU/5IfYYMIj7X1fvg1o/XlAyuWTfoq8SNOgdoqTV08te/XGP/PoIOCDMAgRxWNko5YY5YnGDsxYe+BYeEPw1QCSvWgMeX+wzHrTk/Fv2iQQmbJnT+RazcYlGnjzPvKDRg1JJuFaCESHRvYuKVllfrJ93+kPMgYa7VFZ8WxdKZ3qDMe16iHy54WHQwkraK9MU9HTW+b3JNbmuKzAhW7wsuyyYvg4ZixdtjKRrq3kAuv3PfC5hwVwce1z0TAqvu+vnwFUjbCAkFIYnYFlQqPyTiYsbNr3Te7YvvyoBrLdKqMLycD3vrqDIK3zHztq203TMeng7z6aZ4++vJp9E8f+KX0I9MeLOJMpUjGSs7YumNJMC5EmQGrV1IWb3r/Jajj79uHrho+WTuhQxI4C0lkNtwiFFO8g1U1/S6HAaygmw== 2 | -------------------------------------------------------------------------------- /pkgs/overlays.nix: -------------------------------------------------------------------------------- 1 | { lib }: 2 | 3 | with lib; 4 | 5 | let 6 | tlAllPackages = import ./top-level/all-packages.nix; 7 | 8 | mkCallPackage = pkgArgs: final: prev: 9 | let 10 | defaultArgs = { 11 | callPackage = final: prev: final.callPackage; 12 | args = final: prev: { }; 13 | }; 14 | 15 | p = 16 | if builtins.isAttrs pkgArgs then 17 | (defaultArgs // pkgArgs) 18 | else 19 | defaultArgs // { path = pkgArgs; }; 20 | in 21 | (p.callPackage final prev) p.path (p.args final prev); 22 | 23 | 24 | mkOverlay = name: pkgArgs: final: prev: { 25 | "${name}" = mkCallPackage pkgArgs final prev; 26 | }; 27 | 28 | allPackages = mapAttrs mkOverlay tlAllPackages; 29 | in 30 | allPackages 31 | -------------------------------------------------------------------------------- /modules/config/krb5.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | with lib; 4 | { 5 | 6 | options = { 7 | cri.krb5 = { 8 | enable = mkEnableOption "Whether to enable Kerberos authentication."; 9 | }; 10 | }; 11 | 12 | config = mkIf config.cri.krb5.enable { 13 | security.krb5 = { 14 | enable = true; 15 | settings = { 16 | libdefaults = { 17 | default_realm = "CRI.EPITA.FR"; 18 | dns_fallback = true; 19 | dns_canonicalize_hostname = false; 20 | rnds = false; 21 | forwardable = true; 22 | }; 23 | 24 | realms = { 25 | "CRI.EPITA.FR" = { 26 | admin_server = "kerberos.pie.cri.epita.fr"; 27 | }; 28 | }; 29 | }; 30 | }; 31 | }; 32 | } 33 | -------------------------------------------------------------------------------- /modules/packages/pkgs/csharp.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.csharp.enable = lib.options.mkEnableOption "dev C# CRI package bundle"; 6 | cri.packages.pkgs.csharp.dotnetPackage = lib.options.mkOption { 7 | type = lib.types.package; 8 | default = pkgs.dotnet-sdk_7; 9 | description = "CRI dotnet SDK package"; 10 | }; 11 | }; 12 | 13 | config = lib.mkIf config.cri.packages.pkgs.csharp.enable { 14 | environment.systemPackages = with pkgs; [ 15 | config.cri.packages.pkgs.csharp.dotnetPackage 16 | jetbrains.rider 17 | ]; 18 | 19 | environment.variables = { 20 | DOTNET_ROOT = "${config.cri.packages.pkgs.csharp.dotnetPackage}/share/dotnet"; 21 | }; 22 | }; 23 | } 24 | -------------------------------------------------------------------------------- /modules/packages/python/ssse.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.python.ssse.enable = lib.options.mkEnableOption "ssse Python CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.python.ssse.enable { 9 | cri.packages.pythonPackages.ssse = pythonPackages: with pythonPackages; [ 10 | matplotlib 11 | numpy 12 | jupyter 13 | scipy 14 | scikit-learn 15 | pillow 16 | pandas 17 | pytorch 18 | torchvision 19 | torchaudio 20 | lime 21 | shap 22 | seaborn 23 | 24 | # the following are disabled because tensorflow is not compatible with 25 | # python 3.12 26 | #tensorflow 27 | #keras 28 | ]; 29 | }; 30 | } 31 | -------------------------------------------------------------------------------- /pkgs/nixpie/exec-tools/dump.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | IMAGE_NAME=$(cat /proc/cmdline | sed "s/.*dump_image=\([^ ]*\).*/\1/") 6 | DISK_NAME=$(cat /proc/cmdline | sed "s/.*dump_disk=\([^ ]*\).*/\1/") 7 | 8 | NFS_SERVER="${NFS_SERVER:-clone-store.pie.cri.epita.fr}" 9 | NFS_DIR="${NFS_DIR:-/}" 10 | 11 | echo "Starting dump of image ${IMAGE_NAME}..." 12 | 13 | echo "Mounting ${NFS_SERVER}:${NFS_DIR}..." 14 | mkdir -p /home/partimag 15 | mount -t nfs -o ro "${NFS_SERVER}:${NFS_DIR}" /home/partimag 16 | echo "Finished mounting" 17 | 18 | echo "Dumping image..." 19 | dd if=/dev/zero of="/dev/${DISK_NAME}" count=10 20 | partprobe 21 | clonezilla ocs-sr -icds -g auto -e1 auto -e2 -r -j2 -scr -p choose restoredisk "${IMAGE_NAME}" "${DISK_NAME}" 22 | echo "Dump done" 23 | -------------------------------------------------------------------------------- /pkgs/nswrappers/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , stdenvNoCC 3 | , makeWrapper 4 | , coreutils 5 | , ethtool 6 | , libpcap 7 | }: 8 | 9 | stdenvNoCC.mkDerivation { 10 | name = "nswrappers"; 11 | 12 | phases = [ "installPhase" "fixupPhase" ]; 13 | 14 | src = ./.; 15 | 16 | nativeBuildInputs = [ makeWrapper ]; 17 | 18 | installPhase = '' 19 | install -Dm755 --target-directory=$out/bin/ $src/* 20 | rm $out/bin/default.nix 21 | 22 | for script in $out/bin/*; do 23 | wrapProgram $script \ 24 | ${lib.concatMapStringsSep " \\\n" (pkg: "--prefix PATH : ${lib.getBin pkg}/bin") [ 25 | coreutils 26 | ethtool 27 | libpcap 28 | ]} 29 | done 30 | ''; 31 | 32 | meta = with lib; { 33 | platforms = platforms.linux; 34 | }; 35 | } 36 | -------------------------------------------------------------------------------- /pkgs/development/libraries/spot-lrde/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , stdenv 3 | , fetchurl 4 | , python3 5 | }: 6 | 7 | stdenv.mkDerivation rec { 8 | pname = "spot-lrde"; 9 | version = "2.12.1"; 10 | 11 | src = fetchurl { 12 | url = "http://www.lrde.epita.fr/dload/spot/spot-${version}.tar.gz"; 13 | sha256 = "sha256-VHfAjU4dBi8WTC5IaoNVaSXQfXDyGA3nBq96qUnG/1w="; 14 | }; 15 | 16 | enableParallelBuilding = true; 17 | 18 | buildInputs = [ python3 ]; 19 | 20 | configurePhase = '' 21 | ./configure --prefix $out 22 | ''; 23 | 24 | meta = with lib; { 25 | description = "Spot is a C++17 library for LTL, ω-automata manipulation and model checking."; 26 | homepage = "https://spot.lrde.epita.fr/"; 27 | license = licenses.gpl3; 28 | platforms = platforms.unix; 29 | }; 30 | } 31 | -------------------------------------------------------------------------------- /modules/packages/pkgs/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ./afit.nix 4 | ./asm.nix 5 | ./coq.nix 6 | ./core.nix 7 | ./cpp.nix 8 | ./csharp.nix 9 | ./desktop.nix 10 | ./dev.nix 11 | ./devFunctional.nix 12 | ./docker.nix 13 | ./fuse.nix 14 | ./games.nix 15 | ./gpgpu.nix 16 | ./gtk.nix 17 | ./tcinfo.nix 18 | ./java.nix 19 | ./js.nix 20 | ./latex-exam.nix 21 | ./libvirt.nix 22 | ./lisp.nix 23 | ./net.nix 24 | ./nts.nix 25 | ./ocaml.nix 26 | ./octave.nix 27 | ./opengl.nix 28 | ./podman.nix 29 | ./prolog.nix 30 | ./prpa.nix 31 | ./python.nix 32 | ./r.nix 33 | ./rust.nix 34 | ./scala.nix 35 | ./sdl.nix 36 | ./spider.nix 37 | ./sql.nix 38 | ./ssse.nix 39 | ./thl.nix 40 | ./tiger.nix 41 | ]; 42 | } 43 | -------------------------------------------------------------------------------- /modules/packages/pkgs/net.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.net.enable = lib.options.mkEnableOption "NET CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.net.enable { 9 | environment.systemPackages = with pkgs; [ 10 | gns3-gui 11 | gns3-server 12 | inetutils 13 | pkgsi686Linux.dynamips 14 | tigervnc 15 | vpcs 16 | aria2 17 | opentracker 18 | mktorrent 19 | ]; 20 | 21 | virtualisation.virtualbox.host.enable = true; 22 | 23 | security.wrappers.ubridge = { 24 | source = "${pkgs.ubridge}/bin/ubridge"; 25 | capabilities = "cap_net_admin,cap_net_raw=ep"; 26 | owner = "root"; 27 | group = "root"; 28 | permissions = "u+rx,g+x,o+x"; 29 | }; 30 | }; 31 | } 32 | -------------------------------------------------------------------------------- /pkgs/data/documentation/numpy/default.nix: -------------------------------------------------------------------------------- 1 | { lib, stdenv, fetchzip, python3Packages }: 2 | 3 | let 4 | numpyVersion = builtins.concatStringsSep "." (lib.lists.take 2 (builtins.splitVersion python3Packages.numpy.version)); 5 | in 6 | stdenv.mkDerivation rec { 7 | pname = "numpy-doc"; 8 | version = numpyVersion; 9 | 10 | src = fetchzip { 11 | url = "https://numpy.org/doc/${version}/numpy-html.zip"; 12 | hash = "sha256-f1L5rvxnXhj+IIEnp/R2t/8mJx59/cVZpC7CmO9/Tm0="; 13 | stripRoot = false; 14 | }; 15 | 16 | installPhase = '' 17 | mkdir -p $out 18 | cp -r * $out 19 | ''; 20 | 21 | meta = with lib; { 22 | description = "NumPy Documentation for version ${version}"; 23 | homepage = "https://numpy.org/doc/${version}/"; 24 | platforms = platforms.linux; 25 | license = licenses.mit; 26 | }; 27 | } 28 | -------------------------------------------------------------------------------- /pkgs/nswrappers/ns-add-if: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | usage() { 6 | echo "Usage: ${0} NAME NS1 NS2" 7 | } 8 | 9 | if [[ "${EUID}" -ne 0 ]]; then 10 | echo "This command need to be run as root." 11 | exit 1 12 | fi 13 | 14 | if [[ "${#}" -ne 3 ]]; then 15 | usage 16 | exit 1 17 | fi 18 | 19 | IFN="${1}" 20 | NS1="${2}" 21 | NS2="${3}" 22 | 23 | ip link add "${IFN}-1-${NS1}" type veth peer name "${IFN}-2-${NS2}" 24 | ip link set dev "${IFN}-1-${NS1}" netns "${NS1}" up 25 | ip link set dev "${IFN}-2-${NS2}" netns "${NS2}" up 26 | 27 | ip netns exec "${NS1}" ethtool -K "${IFN}-1-${NS1}" tx off > /dev/null 28 | ip netns exec "${NS2}" ethtool -K "${IFN}-2-${NS2}" tx off > /dev/null 29 | 30 | echo "Interface '${IFN}-1-${NS1}' created in namespace '${NS1}'." 31 | echo "Interface '${IFN}-2-${NS2}' created in namespace '${NS2}'." 32 | -------------------------------------------------------------------------------- /pkgs/development/python-modules/dtale/default.nix: -------------------------------------------------------------------------------- 1 | { lib, buildPythonPackage, fetchPypi, flask-compress, dash-bootstrap-components, strsimpy, dash-colorscales, dash-daq, missingno, statsmodels }: 2 | 3 | buildPythonPackage rec { 4 | pname = "dtale"; 5 | version = "3.16.0"; 6 | 7 | src = fetchPypi { 8 | inherit pname version; 9 | hash = "sha256-94utfwFCwJhLn9rNIoNQ0b7hcbKWiIN3w3N462Z3ek8="; 10 | }; 11 | 12 | propagatedBuildInputs = [ 13 | flask-compress 14 | dash-bootstrap-components 15 | strsimpy 16 | dash-colorscales 17 | dash-daq 18 | missingno 19 | statsmodels 20 | ]; 21 | 22 | doCheck = false; 23 | 24 | meta = with lib; { 25 | homepage = "https://github.com/man-group/dtale"; 26 | description = "Web Client for Visualizing Pandas Objects"; 27 | license = licenses.lgpl21Only; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /tests/criterion.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | let 4 | testSuccess = pkgs.writeText "success.c" '' 5 | #include 6 | 7 | Test(simple, test) { 8 | cr_assert(1, "success"); 9 | } 10 | ''; 11 | testFail = pkgs.writeText "fail.c" '' 12 | #include 13 | 14 | Test(simple, test) { 15 | cr_assert(0, "fail"); 16 | } 17 | ''; 18 | in 19 | { 20 | nodes.machine = { config, pkgs, ... }: { 21 | cri.packages.pkgs.dev.enable = true; 22 | }; 23 | 24 | testScript = '' 25 | start_all() 26 | machine.succeed("gcc -o success ${testSuccess} -lcriterion --std=c99 -Wall -Werror -Wextra -pedantic") 27 | machine.succeed("./success") 28 | machine.succeed("gcc -o fail ${testFail} -lcriterion --std=c99 -Wall -Werror -Wextra -pedantic") 29 | machine.fail("./fail") 30 | ''; 31 | } 32 | -------------------------------------------------------------------------------- /modules/packages/pkgs/core.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.core.enable = lib.options.mkEnableOption "core CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.core.enable { 9 | cri.packages.python.core.enable = lib.mkDefault true; 10 | 11 | environment.systemPackages = with pkgs; [ 12 | file 13 | git 14 | htop 15 | iftop 16 | iotop 17 | iproute2 18 | ldns 19 | lsof 20 | man-pages 21 | man-pages-posix 22 | mtr 23 | ncdu 24 | pciutils 25 | pipenv 26 | procps 27 | psmisc 28 | rsync 29 | screen 30 | tcpdump 31 | inetutils 32 | tmux 33 | tree 34 | usbutils 35 | utillinux 36 | unzip 37 | wget 38 | zip 39 | ]; 40 | }; 41 | } 42 | -------------------------------------------------------------------------------- /images/nixos-pie.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | imports = [ 5 | ../profiles/graphical 6 | ]; 7 | 8 | netboot.enable = true; 9 | cri.sddm.title = "NixOS PIE"; 10 | 11 | environment.systemPackages = with pkgs; [ 12 | #spot-lrde 13 | tina 14 | ]; 15 | 16 | cri.packages.pythonPackages.nixosPieCustom = p: with p; [ 17 | networkx 18 | osmnx 19 | ]; 20 | 21 | cri.packages = { 22 | pkgs = { 23 | cpp.enable = true; 24 | dev.enable = true; 25 | devFunctional.enable = true; 26 | java.enable = true; 27 | js.enable = true; 28 | podman.enable = true; 29 | prpa.enable = true; 30 | prolog.enable = true; 31 | spider.enable = true; 32 | sql.enable = true; 33 | thl.enable = true; 34 | tiger.enable = true; 35 | }; 36 | }; 37 | 38 | cri.nswrappers.enable = true; 39 | } 40 | -------------------------------------------------------------------------------- /pkgs/os-specific/linux/pam_subuid/default.nix: -------------------------------------------------------------------------------- 1 | { lib, stdenv, fetchFromGitHub, meson, ninja, pam, shadow }: 2 | 3 | stdenv.mkDerivation rec { 4 | pname = "pam_subuid"; 5 | version = "2020-04-30"; 6 | 7 | src = fetchFromGitHub { 8 | owner = "yrro"; 9 | repo = pname; 10 | rev = "e91b4ac7031e282c448a5469aca0e57022bf2626"; 11 | sha256 = "sha256-cYIKrdAhau2lb2WFyzUQAQuRlKZ4gh8lPnvgftP7RE8="; 12 | }; 13 | 14 | buildInputs = [ pam ]; 15 | nativeBuildInputs = [ meson ninja ]; 16 | 17 | prePatch = '' 18 | substituteInPlace pam.c \ 19 | --replace '"usermod"' '"${shadow}/bin/usermod"' 20 | substituteInPlace subxid.h \ 21 | --replace 'struct xid xid_' 'extern struct xid xid_' 22 | ''; 23 | 24 | meta = with lib; { 25 | homepage = "https://github.com/yrro/pam_subuid"; 26 | platforms = platforms.linux; 27 | license = licenses.isc; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /pkgs/nixpie/exam-start/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , writers 3 | , python3Packages 4 | }: 5 | 6 | let 7 | requests-gssapi = python3Packages.buildPythonPackage rec { 8 | pname = "requests-gssapi"; 9 | version = "1.2.3"; 10 | 11 | src = python3Packages.fetchPypi { 12 | inherit pname version; 13 | sha256 = "sha256-IHhFCJgUAfcVPJM+7QlTOJM6QIGNplolnb8tgNzLFQ4="; 14 | }; 15 | 16 | propagatedBuildInputs = with python3Packages; [ 17 | gssapi 18 | requests 19 | ]; 20 | }; 21 | in 22 | (writers.writePython3Bin "exam-start" 23 | { 24 | libraries = with python3Packages; [ 25 | gssapi 26 | requests 27 | requests-gssapi 28 | sh 29 | termcolor 30 | ]; 31 | flakeIgnore = [ "E265" "E501" ]; 32 | } 33 | (builtins.readFile ./exam-start) 34 | ) // { 35 | meta = with lib; { 36 | platforms = platforms.linux; 37 | }; 38 | } 39 | -------------------------------------------------------------------------------- /modules/services/misc/idle-shutdown/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | let 4 | cfg = config.cri.idle-shutdown; 5 | in 6 | { 7 | options = { 8 | cri.idle-shutdown = { 9 | enable = lib.mkEnableOption "idle shutdown"; 10 | }; 11 | }; 12 | 13 | config = lib.mkIf cfg.enable { 14 | systemd.services.idle-shutdown = { 15 | description = "Poweroff computer when idling"; 16 | serviceConfig = { 17 | Type = "oneshot"; 18 | ExecStart = "${pkgs.bash}/bin/bash ${./idle-shutdown.sh}"; 19 | }; 20 | }; 21 | 22 | systemd.timers.idle-shutdown = { 23 | description = "Check computer idle status on time"; 24 | timerConfig = { 25 | Unit = "idle-shutdown.service"; 26 | OnCalendar = "*-*-* *:*:00"; 27 | RandomizedDelaySec = 40; 28 | }; 29 | wantedBy = [ "multi-user.target" ]; 30 | }; 31 | }; 32 | } 33 | -------------------------------------------------------------------------------- /pkgs/development/compilers/reflex/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , fetchFromGitHub 3 | , stdenv 4 | , pkgs 5 | }: 6 | 7 | stdenv.mkDerivation rec { 8 | pname = "reflex"; 9 | version = "3.2.11"; 10 | 11 | src = fetchFromGitHub { 12 | owner = "Genivia"; 13 | repo = "RE-flex"; 14 | rev = "bc1985e3088466239f7b5fb8fd6d584f18074d7f"; 15 | sha256 = "sha256-QPX6+qHpsfdUva4mZPmeOkwccklCFnckb6ukNuxPsTU="; 16 | }; 17 | 18 | enableParallelBuilding = true; 19 | 20 | nativeBuildInputs = with pkgs; [ 21 | doxygen 22 | boost 23 | autoconf 24 | automake 25 | ]; 26 | 27 | doCheck = true; 28 | doInstallCheck = true; 29 | 30 | meta = with lib; { 31 | description = "RE/flex is a free and open-source alternative to the fast lexical analyzer Flex"; 32 | homepage = "https://www.genivia.com/reflex.html"; 33 | license = licenses.bsd3; 34 | platforms = platforms.all; 35 | }; 36 | } 37 | -------------------------------------------------------------------------------- /tests/dotnet.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | let 4 | csproject = pkgs.writeText "Test.csproj" '' 5 | 6 | 7 | Exe 8 | net7.0 9 | 10 | 11 | ''; 12 | program = pkgs.writeText "Program.cs" '' 13 | using System; 14 | 15 | class TestClass 16 | { 17 | static void Main(string[] args) 18 | { 19 | Console.WriteLine("Test successful!"); 20 | } 21 | } 22 | ''; 23 | in 24 | { 25 | nodes.machine = { config, pkgs, ... }: { 26 | cri.packages.pkgs.csharp.enable = true; 27 | }; 28 | 29 | testScript = '' 30 | start_all() 31 | machine.succeed("cp ${csproject} ${csproject.name}") 32 | machine.succeed("cp ${program} ${program.name}") 33 | machine.succeed("dotnet build") 34 | machine.succeed("./bin/Debug/net7.0/Test") 35 | ''; 36 | } 37 | -------------------------------------------------------------------------------- /modules/services/admin/node-exporter.nix: -------------------------------------------------------------------------------- 1 | { imageName, config, pkgs, lib, ... }: 2 | 3 | with lib; 4 | 5 | let 6 | cfg = config.cri.node-exporter; 7 | in 8 | { 9 | options = { 10 | cri.node-exporter = { 11 | enable = mkEnableOption "node-exporter"; 12 | }; 13 | }; 14 | 15 | config = mkIf cfg.enable { 16 | services.prometheus.exporters.node = { 17 | enable = true; 18 | openFirewall = true; 19 | enabledCollectors = [ 20 | "logind" 21 | "systemd" 22 | ]; 23 | extraFlags = [ 24 | "--collector.textfile.directory=/etc/prometheus-node-exporter-textfile" 25 | ]; 26 | }; 27 | 28 | environment.etc."prometheus-node-exporter-textfile/nixpie.prom".text = 29 | let 30 | versions = (builtins.replaceStrings [ "_" "-" ] [ "\", " "=\"" ] config.system.nixos.label) + "\""; 31 | in 32 | '' 33 | nixpie_image{image="${imageName}", ${versions}} 1 34 | ''; 35 | }; 36 | } 37 | -------------------------------------------------------------------------------- /modules/services/misc/sm-inventory-agent/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | let 4 | cfg = config.cri.sm-inventory-agent; 5 | in 6 | { 7 | options = { 8 | cri.sm-inventory-agent = { 9 | enable = lib.mkEnableOption "SM inventory agent"; 10 | }; 11 | }; 12 | 13 | config = lib.mkIf cfg.enable { 14 | systemd.services.sm-inventory-agent = { 15 | description = "Push SM inventory info"; 16 | wants = [ "network-online.target" ]; 17 | after = [ "network-online.target" ]; 18 | path = with pkgs; [ 19 | coreutils 20 | gnused 21 | gnugrep 22 | inetutils 23 | dmidecode 24 | read-edid 25 | curl 26 | ]; 27 | serviceConfig = { 28 | Type = "oneshot"; 29 | ExecStart = "${pkgs.bash}/bin/bash ${./push-sm-inventory.sh}"; 30 | Restart = "on-failure"; 31 | RestartSec = "10"; 32 | }; 33 | wantedBy = [ "multi-user.target" ]; 34 | }; 35 | }; 36 | } 37 | -------------------------------------------------------------------------------- /pkgs/development/tools/dirbuster/default.nix: -------------------------------------------------------------------------------- 1 | { stdenv, lib, fetchurl, makeWrapper, jre }: 2 | stdenv.mkDerivation rec { 3 | pname = "DirBuster"; 4 | version = "1.0-RC1"; 5 | 6 | src = fetchurl { 7 | url = "mirror://sourceforge/dirbuster/${pname}%20%28jar%20%2B%20lists%29/${version}/${pname}-${version}.tar.bz2"; 8 | sha256 = "sha256-UoEt1NkaLsKux3lr+AB+TZCCshQs2hIo63igT39V68E="; 9 | }; 10 | 11 | nativeBuildInputs = [ makeWrapper ]; 12 | 13 | installPhase = '' 14 | mkdir -pv $out/share/java $out/bin 15 | 16 | cp *.jar $out/share/java/ 17 | cp -r lib $out/share/java/ 18 | 19 | makeWrapper ${jre}/bin/java $out/bin/${pname} \ 20 | --add-flags "-jar $out/share/java/${pname}-${version}.jar" 21 | ''; 22 | 23 | meta = { 24 | description = "multi threaded brute force web discovery application"; 25 | homepage = "https://sourceforge.net/projects/dirbuster/"; 26 | license = with lib.licenses; [ gpl2 ]; 27 | platforms = lib.platforms.unix; 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /pkgs/nixpie/exec-tools/clear_disk.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | echo "Scanning disks on your system:" 6 | disks="$(lsblk --list --noheadings --paths --output NAME,SIZE,TYPE | grep ' disk')" 7 | 8 | echo "${disks}" | while read name size; do 9 | echo " - ${name} (${size})" 10 | done 11 | 12 | if [ -z "${disks}" ]; then 13 | echo "Error: no disk found!" 14 | exit 1 15 | fi 16 | 17 | if [ "$(echo "${disks}" | wc -l)" -ne 1 ]; then 18 | DISK_NAME="/dev/invalid" 19 | 20 | while [ ! -b "${DISK_NAME}" ]; do 21 | echo -n "Choose a disk: " 22 | read -r DISK_NAME 23 | done 24 | else 25 | DISK_NAME="$(echo "${disks}" | cut -d" " -f1)" 26 | fi 27 | 28 | echo "Deleting partitions on ${DISK_NAME}" 29 | echo "ALL THIS DISK CONTENT WILL BE ERASED!" 30 | echo "Press Ctrl+C to cancel..." 31 | echo "Waiting 10 seconds before starting..." 32 | 33 | sleep 10 34 | 35 | sgdisk --zap-all "${DISK_NAME}" 36 | sgdisk --clear "${DISK_NAME}" 37 | 38 | partx --update "${DISK_NAME}" 39 | sleep 5 40 | -------------------------------------------------------------------------------- /pkgs/development/compilers/ovm/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , fetchFromGitLab 3 | , ocamlPackages 4 | , ocaml 5 | }: 6 | 7 | ocamlPackages.buildDunePackage rec { 8 | pname = "ovm"; 9 | version = "0.1-20250323"; 10 | 11 | src = fetchFromGitLab { 12 | domain = "gitlab.lre.epita.fr"; 13 | owner = "tiger"; 14 | repo = "ovm"; 15 | rev = "7eab104a541baf96a5249e3861b7a9aba4414461"; 16 | sha256 = "sha256-uCbvKN/3ppdzekh7l4QHKMCvpfgZJD88nSR6ikj9HZc"; 17 | fetchSubmodules = true; 18 | }; 19 | 20 | nativeBuildInputs = [ 21 | ocamlPackages.menhir 22 | ]; 23 | 24 | buildInputs = [ 25 | ocamlPackages.dune-build-info 26 | ]; 27 | 28 | duneVersion = "3"; 29 | doCheck = lib.versionAtLeast ocaml.version "5.21"; 30 | 31 | meta = with lib; { 32 | description = "OVM (Virtual Machine for Tree Language)"; 33 | homepage = "https://gitlab.lre.epita.fr/tiger/ovm"; 34 | license = licenses.mit; 35 | platforms = platforms.linux; 36 | maintainers = with maintainers; [ ]; 37 | }; 38 | } 39 | -------------------------------------------------------------------------------- /modules/nswrappers.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | let 4 | inherit (lib) mkEnableOption mkIf; 5 | cfg = config.cri.nswrappers; 6 | in 7 | { 8 | options = { 9 | cri.nswrappers = { 10 | enable = mkEnableOption "wrappers for ip netns commands"; 11 | }; 12 | }; 13 | 14 | config = mkIf cfg.enable { 15 | environment.systemPackages = with pkgs; [ 16 | ethtool 17 | libpcap 18 | nswrappers 19 | wireshark 20 | ]; 21 | 22 | security.sudo.extraRules = [{ 23 | users = [ "ALL" ]; 24 | commands = [ 25 | { command = "/run/current-system/sw/bin/ns-init"; options = [ "NOPASSWD" ]; } 26 | { command = "/run/current-system/sw/bin/ns-add-if"; options = [ "NOPASSWD" ]; } 27 | { command = "/run/current-system/sw/bin/ns-exec"; options = [ "NOPASSWD" ]; } 28 | { command = "/run/current-system/sw/bin/ns-del-if"; options = [ "NOPASSWD" ]; } 29 | { command = "/run/current-system/sw/bin/ns-destroy"; options = [ "NOPASSWD" ]; } 30 | ]; 31 | }]; 32 | }; 33 | } 34 | -------------------------------------------------------------------------------- /pkgs/development/tools/clang-format-epita/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , clang-tools 3 | , findutils 4 | , git 5 | , writeShellScriptBin 6 | }: 7 | 8 | writeShellScriptBin "clang-format-epita" '' 9 | # This script checks a git repository has a clang-format configuration and runs 10 | # clang-format with the given parameters. 11 | 12 | die() { 13 | printf "\033[0;31m''${@}\033[0m\n" 14 | exit 1 15 | } 16 | 17 | repo="$(${git}/bin/git rev-parse --show-toplevel 2>/dev/null)" 18 | 19 | if test "$?" -ne 0; then 20 | die "You must run this script from the work tree of a git repository" 21 | fi 22 | 23 | clang_format_file="''${repo}/.clang-format" 24 | 25 | if ! test -f "''${clang_format_file}"; then 26 | die "Failed to find clang-format configuration at ''${clang_format_file}" 27 | fi 28 | 29 | ${findutils}/bin/find "$repo" -type f -regex '.*\.\(c\|h\|cc\|hh\|hxx\)' -exec ${clang-tools}/bin/clang-format --style=file -i {} ';' 30 | 31 | '' // { 32 | meta = with lib; { 33 | platforms = platforms.linux; 34 | }; 35 | } 36 | -------------------------------------------------------------------------------- /pkgs/applications/display-managers/sddm/sddm-epita-themes.nix: -------------------------------------------------------------------------------- 1 | { lib, stdenv, fetchurl, extraThemeConfig ? "" }: 2 | 3 | let 4 | themes = [ "epita-simplyblack" "epita-acu-2023" "epita-acu-2024" "epita-acu-2025" "epita-acu-2026" ]; 5 | in 6 | stdenv.mkDerivation rec { 7 | pname = "sddm-epita-themes"; 8 | version = "1.4.0"; 9 | 10 | src = fetchurl { 11 | url = "https://gitlab.cri.epita.fr/forge/packages/epita-themes-sddm/-/archive/${version}/epita-themes-sddm-${version}.tar.gz"; 12 | sha256 = "sha256-ffadjlkMsjf0vmTiWq05qKQcKC9I37XVKiSz38YxujE="; 13 | }; 14 | 15 | unpackPhase = '' 16 | tar xf $src 17 | ''; 18 | 19 | installPhase = lib.concatMapStrings 20 | (theme: '' 21 | install -d $out/share/sddm/themes/${theme} 22 | install -Dm644 \ 23 | epita-themes-sddm-${version}/${theme}/* \ 24 | $out/share/sddm/themes/${theme} 25 | echo "${extraThemeConfig}" >> $out/share/sddm/themes/${theme}/theme.conf 26 | '') 27 | themes; 28 | 29 | meta = with lib; { 30 | platforms = platforms.unix; 31 | }; 32 | } 33 | -------------------------------------------------------------------------------- /modules/services/misc/idle-shutdown/idle-shutdown.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -euo pipefail 3 | 4 | # delay in seconds before shutdown after no user is logged 5 | DELAY="${DELAY:-7200}" 6 | IDLE_SINCE_PATH="/run/nixpie-idle-shutdown" 7 | 8 | if ! grep -q 'sm\.cri\.epita\.fr' /etc/resolv.conf ; then 9 | echo "Not in machine room" 10 | exit 11 | fi 12 | 13 | # if someone is logged in 14 | if loginctl list-sessions --no-pager --no-legend | grep -q -v sddm ; then 15 | echo "A user is logged in. Exiting." 16 | echo "" > "$IDLE_SINCE_PATH" 17 | exit 18 | fi 19 | 20 | IDLE_SINCE=$(cat "$IDLE_SINCE_PATH" 2>/dev/null || echo "") 21 | CURRENT_TIME=$(date +%s) 22 | 23 | if ! [ -f "$IDLE_SINCE_PATH" ] || [ -z "$IDLE_SINCE" ] ; then 24 | echo "No user is logged. Logging current time." 25 | echo "$CURRENT_TIME" > "$IDLE_SINCE_PATH" 26 | exit 27 | fi 28 | 29 | if [ "$(( CURRENT_TIME - IDLE_SINCE ))" -lt "$DELAY" ] ; then 30 | echo "Machine has not been idling for enough time. Exiting." 31 | exit 32 | fi 33 | 34 | echo "Machine has been idling for too long, shutting down" 35 | poweroff 36 | -------------------------------------------------------------------------------- /pkgs/development/compilers/havm/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , fetchgit 3 | , stdenv 4 | , autoconf271 5 | , automake 6 | , ghc 7 | , texinfo 8 | , which 9 | }: 10 | 11 | stdenv.mkDerivation rec { 12 | pname = "havm"; 13 | version = "0.28"; 14 | 15 | src = fetchgit { 16 | url = "https://gitlab.lre.epita.fr/tiger/havm.git"; 17 | rev = "53dca210b8c43ae8d64046e0ebf66b6a0eaf168c"; 18 | sha256 = "sha256-Nw8erEKNNObj3WmnDAT8hlXKkA8Bev7Du33FsbHLb5Q="; 19 | }; 20 | 21 | enableParallelBuilding = true; 22 | 23 | preConfigure = '' 24 | ./bootstrap 25 | ''; 26 | 27 | nativeBuildInputs = [ 28 | autoconf271 29 | automake 30 | ghc 31 | texinfo 32 | ]; 33 | 34 | checkInputs = [ 35 | which 36 | ]; 37 | 38 | doCheck = true; 39 | doInstallCheck = true; 40 | 41 | meta = with lib; { 42 | description = "HAVM, virtual machine designed to execute simple register based 43 | high level intermediate code"; 44 | homepage = "https://www.lrde.epita.fr/wiki/Havm"; 45 | license = licenses.gpl2Plus; 46 | platforms = platforms.all; 47 | }; 48 | } 49 | -------------------------------------------------------------------------------- /tests/gtest.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | let 4 | testSuccess = pkgs.writeText "success.cc" '' 5 | #include 6 | 7 | TEST (PassingTest, Passing) 8 | { 9 | EXPECT_EQ(1, 1); 10 | } 11 | 12 | int main(int argc, char **argv) 13 | { 14 | ::testing::InitGoogleTest(&argc, argv); 15 | return RUN_ALL_TESTS(); 16 | } 17 | ''; 18 | testFail = pkgs.writeText "fail.cc" '' 19 | #include 20 | 21 | TEST (PassingTest, Passing) 22 | { 23 | EXPECT_EQ(1, 0); 24 | } 25 | 26 | int main(int argc, char **argv) 27 | { 28 | ::testing::InitGoogleTest(&argc, argv); 29 | return RUN_ALL_TESTS(); 30 | } 31 | ''; 32 | in 33 | { 34 | nodes.machine = { config, pkgs, ... }: { 35 | cri.packages.pkgs.dev.enable = true; 36 | }; 37 | 38 | testScript = '' 39 | start_all() 40 | machine.succeed("g++ ${testSuccess} -lgtest -o success") 41 | machine.succeed("./success") 42 | machine.succeed("g++ ${testFail} -lgtest -o fail") 43 | machine.fail("./fail") 44 | ''; 45 | } 46 | -------------------------------------------------------------------------------- /modules/list.nix: -------------------------------------------------------------------------------- 1 | { 2 | krb5 = ./config/krb5.nix; 3 | ldap = ./config/ldap.nix; 4 | users = ./config/users-groups.nix; 5 | 6 | nswrappers = ./nswrappers.nix; 7 | 8 | label = ./misc/label.nix; 9 | 10 | packages = ./packages; 11 | yubikey = ./programs/yubikey.nix; 12 | 13 | machine-state = ./services/admin/machine-state.nix; 14 | node-exporter = ./services/admin/node-exporter.nix; 15 | salt = ./services/admin/salt/minion.nix; 16 | 17 | audio = ./services/audio/alsa.nix; 18 | bluetooth = ./services/hardware/bluetooth.nix; 19 | afs = ./services/network-filesystems/openafs/client.nix; 20 | aria2 = ./services/networking/aria2.nix; 21 | privoxy = ./services/networking/privoxy.nix; 22 | sshd = ./services/networking/sshd/sshd.nix; 23 | xfce = ./services/x11/desktop-managers/xfce.nix; 24 | sddm = ./services/x11/display-managers/sddm.nix; 25 | redshift = ./services/x11/redshift.nix; 26 | i3 = ./services/x11/window-managers/i3.nix; 27 | idle-shutdown = ./services/misc/idle-shutdown; 28 | sm-inventory-agent = ./services/misc/sm-inventory-agent; 29 | 30 | netboot = ./system/boot/netboot.nix; 31 | } 32 | -------------------------------------------------------------------------------- /.gitlab/ci/utils.sh: -------------------------------------------------------------------------------- 1 | DIFF_DIR="${CI_PROJECT_DIR}/diffs" 2 | 3 | echoErr() { >&2 echo -e "\e[1;31m[ERR] ${*}\e[0m" ; } 4 | echoWarn() { >&2 echo -e "\e[1;33m[WARN] ${*}\e[0m" ; } 5 | echoInfo() { >&2 echo -e "\e[1;34m[INFO] ${*}\e[0m" ; } 6 | echoSuccess() { >&2 echo -e "\e[1;32m[SUCCESS] ${*}\e[0m" ; } 7 | 8 | function isFork() { 9 | [ -n "${CI_MERGE_REQUEST_SOURCE_PROJECT_URL:-}" ] && [ "${CI_MERGE_REQUEST_SOURCE_PROJECT_URL:-}" != "https://gitlab.cri.epita.fr/forge/infra/nixpie" ] 10 | } 11 | 12 | function print_defaults() { 13 | echoInfo "Printing some default stuff..." 14 | cat < stage2Init 32 | 33 | # Generate the squashfs image. 34 | mksquashfs \ 35 | nix-path-registration stage2Init $(cat $closureInfo/store-paths) \ 36 | $out/${name} \ 37 | -keep-as-directory -all-root -b 1048576 -comp ${comp} \ 38 | -reproducible -no-fragments 39 | ''; 40 | } 41 | -------------------------------------------------------------------------------- /pkgs/nixpie/exec-tools/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , stdenvNoCC 3 | , makeWrapper 4 | , clonezilla 5 | , coreutils 6 | , e2fsprogs 7 | , gawk 8 | , gnugrep 9 | , gnused 10 | , gptfdisk 11 | , htop 12 | , nfs-utils 13 | , parted 14 | , util-linux 15 | , jq 16 | , nix 17 | , git 18 | , dialog 19 | , dosfstools 20 | , nixos-install-tools 21 | }: 22 | 23 | stdenvNoCC.mkDerivation { 24 | name = "exec-tools"; 25 | 26 | phases = [ "installPhase" "fixupPhase" ]; 27 | 28 | src = ./.; 29 | 30 | nativeBuildInputs = [ makeWrapper ]; 31 | 32 | installPhase = '' 33 | install -Dm755 --target-directory=$out/bin/ $src/*.sh 34 | 35 | for script in $out/bin/*.sh; do 36 | wrapProgram $script \ 37 | ${lib.concatMapStringsSep " \\\n" (pkg: "--prefix PATH : ${lib.getBin pkg}/bin") [ 38 | clonezilla 39 | coreutils 40 | e2fsprogs 41 | gawk 42 | gnugrep 43 | gnused 44 | gptfdisk 45 | htop 46 | nfs-utils 47 | parted 48 | util-linux 49 | jq 50 | nix 51 | git 52 | dialog 53 | dosfstools 54 | nixos-install-tools 55 | ]} 56 | done 57 | ''; 58 | 59 | meta = with lib; { 60 | platforms = platforms.linux; 61 | }; 62 | } 63 | -------------------------------------------------------------------------------- /pkgs/development/compilers/m68k/default.nix: -------------------------------------------------------------------------------- 1 | { lib, stdenv, autoPatchelfHook, qtbase, wrapQtAppsHook, libdrm, mesa }: 2 | 3 | stdenv.mkDerivation rec { 4 | pname = "m68k"; 5 | version = "1.0"; 6 | 7 | src = builtins.fetchTarball { 8 | url = "https://static.cri.epita.fr/pkg/TP_68000_Ubuntu64.tar.gz"; 9 | sha256 = "sha256-1TWeG4xx1Y4XtZ5QiDoVtn8cnMRNcgH5isNkZHpb2Ac="; 10 | }; 11 | 12 | nativeBuildInputs = [ autoPatchelfHook wrapQtAppsHook ]; 13 | buildInputs = [ qtbase libdrm mesa ]; 14 | 15 | installPhase = '' 16 | cd $src/68000 17 | find -type f -not -name '*.so*' -exec install -Dm755 "{}" "$out/bin/{}" \; 18 | find -type f -name '*.so*' -exec install -Dm644 "{}" "$out/lib/{}" \; 19 | cd $src/editor 20 | find -type f -exec install -Dm644 "{}" "$out/share/geany/filedefs/{}" \; 21 | ''; 22 | 23 | preFixup = '' 24 | sed -i 's/appname=.*/appname=d68k/' "$out/bin/d68k.sh" 25 | wrapQtApp "$out/bin/d68k.sh" 26 | 27 | sed -i "s,~/68000,$out/bin,g" "$out/share/geany/filedefs/filetypes.asm" 28 | ''; 29 | 30 | 31 | meta = with lib; { 32 | homepage = "http://www.debug-pro.com/epita/archi/s3/fr/"; 33 | description = "Geany plugin to program and emulate execution of Motorola 68000 applications"; 34 | platforms = platforms.linux; 35 | }; 36 | } 37 | -------------------------------------------------------------------------------- /modules/services/admin/machine-state.nix: -------------------------------------------------------------------------------- 1 | { imageName, config, pkgs, lib, inputs, ... }: 2 | 3 | with lib; 4 | 5 | let 6 | cfg = config.cri.machine-state; 7 | in 8 | { 9 | options = { 10 | cri.machine-state = { 11 | enable = mkEnableOption "machine state"; 12 | }; 13 | }; 14 | 15 | config = mkIf cfg.enable { 16 | services.dbus.packages = [ pkgs.machine-state ]; 17 | 18 | systemd.services.machine-state = { 19 | description = "DBus object representing current machine state"; 20 | wantedBy = [ "multi-user.target" ]; 21 | after = [ "network-online.target" ]; 22 | wants = [ "network-online.target" ]; 23 | 24 | serviceConfig = { 25 | Restart = "always"; 26 | }; 27 | 28 | environment = { 29 | MACHINE_STATE_SESSION_ENDPOINT = "https://fleet.pie.cri.epita.fr/api/sessions/ping"; 30 | MACHINE_STATE_ISSUES_ENDPOINT = "https://fleet.pie.cri.epita.fr/api/fleet/issues/"; 31 | IMAGE = imageName; 32 | }; 33 | 34 | preStart = '' 35 | # We're just waiting for an IP to appear, we don't actually care about 36 | # it here 37 | ${pkgs.nixpie-utils}/bin/get_ip.sh 38 | ''; 39 | 40 | script = '' 41 | export MACHINE_STATE_IP="$(${pkgs.nixpie-utils}/bin/get_ip.sh)" 42 | ${pkgs.machine-state}/bin/machine-state 43 | ''; 44 | }; 45 | }; 46 | } 47 | -------------------------------------------------------------------------------- /images/modules.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , nixpkgs 3 | , nixpkgsMaster 4 | , nixpkgsUnstable 5 | , pkgset 6 | , self 7 | , system 8 | , ... 9 | }@inputs: 10 | 11 | imageName: 12 | { 13 | core = self.nixosModules.profiles.core; 14 | 15 | global = { 16 | system.name = imageName; 17 | networking.hostName = ""; # Use the DHCP provided hostname 18 | nix.nixPath = [ 19 | "nixpkgs=${nixpkgs}" 20 | "nixpkgs-unstable=${nixpkgsUnstable}" 21 | "nixpkgs-master=${nixpkgsMaster}" 22 | ]; 23 | 24 | nixpkgs = { 25 | inherit (pkgset) pkgs; 26 | overlays = [ self.overrides.${system} ] ++ (lib.attrValues self.overlays); 27 | }; 28 | 29 | nix.registry = { 30 | nixpkgs.flake = nixpkgs; 31 | nixpkgsUnstable.flake = nixpkgsUnstable; 32 | nixpkgsMaster.flake = nixpkgsMaster; 33 | nixpie = { 34 | from = { 35 | id = "nixpie"; 36 | type = "indirect"; 37 | }; 38 | to = { 39 | type = "git"; 40 | url = "https://gitlab.cri.epita.fr/forge/infra/nixpie.git"; 41 | }; 42 | }; 43 | }; 44 | 45 | environment.etc."nixos-version".text = lib.maybeEnv "NIXPIE_LABEL_VERSION" "pregit"; 46 | system.configurationRevision = null; # triggers rebuild of mandb 47 | }; 48 | 49 | flakeModules = 50 | builtins.attrValues (removeAttrs self.nixosModules [ "profiles" "nixpie" ]); 51 | } 52 | -------------------------------------------------------------------------------- /modules/packages/pkgs/gpgpu.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | options = { 5 | cri.packages.pkgs.gpgpu.enable = lib.options.mkEnableOption "gpgpu CRI package bundle"; 6 | }; 7 | 8 | config = lib.mkIf config.cri.packages.pkgs.gpgpu.enable { 9 | hardware.graphics.enable = true; 10 | environment.sessionVariables.LD_LIBRARY_PATH = [ "/run/opengl-driver/lib" ]; 11 | 12 | environment.systemPackages = with pkgs; [ 13 | # OpenCV 14 | clinfo 15 | ocl-icd 16 | opencl-headers 17 | mesa 18 | 19 | # CUDA 20 | binutils 21 | cudaPackages.cudatoolkit 22 | cudaPackages.cuda_nvprof 23 | (cudaPackages.nsight_systems.overrideAttrs (final: prev: { 24 | buildInputs = prev.buildInputs ++ [ boost178 e2fsprogs ]; 25 | })) 26 | #cudaPackages.nsight_compute #FIXME 27 | freeglut 28 | gperf 29 | gitRepo 30 | libGL 31 | libGLU 32 | linuxPackages.nvidia_x11 33 | m4 34 | # ncurses5 # makes system-path builder go into an infinite loop 35 | xorg.libX11 36 | xorg.libXext 37 | xorg.libXi 38 | xorg.libXmu 39 | xorg.libXrandr 40 | xorg.libXtst 41 | xorg.libXv 42 | zlib 43 | 44 | jre8 45 | jdk8 46 | 47 | # Misc 48 | boost 49 | freeimage 50 | glfw 51 | hashcat 52 | hashcat-utils 53 | ]; 54 | }; 55 | } 56 | -------------------------------------------------------------------------------- /pkgs/nixpie/exec-tools/set_bootcache.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | echo "Scanning disks on your system:" 6 | disks="$(lsblk --list --noheadings --paths --output NAME,SIZE,TYPE | grep ' disk')" 7 | 8 | echo "${disks}" | while read name size; do 9 | echo " - ${name} (${size})" 10 | done 11 | 12 | if [ -z "${disks}" ]; then 13 | echo "Error: no disk found!" 14 | exit 1 15 | fi 16 | 17 | if [ "$(echo "${disks}" | wc -l)" -ne 1 ]; then 18 | DISK_NAME="/dev/invalid" 19 | 20 | while [ ! -b "${DISK_NAME}" ]; do 21 | echo -n "Choose a disk: " 22 | read -r DISK_NAME 23 | done 24 | else 25 | DISK_NAME="$(echo "${disks}" | cut -d" " -f1)" 26 | fi 27 | 28 | echo "Setting partitions on ${DISK_NAME}" 29 | echo " - bootcache (32G)" 30 | echo " - nix-store-rw (32G)" 31 | echo "ALL THIS DISK CONTENT WILL BE ERASED!" 32 | echo "Press Ctrl+C to cancel..." 33 | echo "Waiting 10 seconds before starting..." 34 | 35 | sleep 10 36 | 37 | sgdisk --zap-all "${DISK_NAME}" 38 | sgdisk --clear "${DISK_NAME}" 39 | 40 | sgdisk --new 1:2M:+32G "${DISK_NAME}" 41 | sgdisk --change-name 1:bootcache "${DISK_NAME}" 42 | 43 | sgdisk --new 2:0:+32G "${DISK_NAME}" 44 | sgdisk --change-name 2:nix-store-rw "${DISK_NAME}" 45 | 46 | partx --update "${DISK_NAME}" 47 | sleep 5 48 | 49 | mkfs.ext4 -F -L bootcache /dev/disk/by-partlabel/bootcache 50 | mkfs.ext4 -F -L nix-store-rw /dev/disk/by-partlabel/nix-store-rw 51 | -------------------------------------------------------------------------------- /images/nixos-exec.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | let 4 | execScript = pkgs.writeShellScript "exec.sh" '' 5 | set -xu 6 | 7 | EXEC_URL="$(cat /proc/cmdline | ${pkgs.gnused}/bin/sed 's/.*exec_url=\([^ ]*\).*/\1/')" 8 | 9 | # Wait for network to be ready 10 | ${pkgs.nixpie-utils}/bin/get_ip.sh 11 | 12 | if [ -x ${pkgs.exec-tools}/bin/''${EXEC_URL} ]; then 13 | ${pkgs.exec-tools}/bin/''${EXEC_URL} 14 | else 15 | ${pkgs.wget}/bin/wget "''${EXEC_URL}" -O /tmp/script.sh 16 | chmod +x /tmp/script.sh 17 | /tmp/script.sh 18 | fi 19 | 20 | echo "Shutdown in 10s" 21 | read -t 10 -p "Hit ENTER to drop into a shell" || ${pkgs.systemd}/bin/poweroff 22 | exec ${pkgs.bash}/bin/bash 23 | ''; 24 | in 25 | { 26 | netboot = { 27 | enable = true; 28 | bootcache.enable = lib.mkForce false; 29 | nix-store-rw.enable = lib.mkForce false; 30 | home.enable = lib.mkForce false; 31 | swap.enable = lib.mkForce false; 32 | }; 33 | 34 | cri = { 35 | afs.enable = false; 36 | krb5.enable = false; 37 | ldap.enable = false; 38 | users.createEpitaUser = false; 39 | }; 40 | 41 | boot.supportedFilesystems = [ "nfs" ]; # To create dumps 42 | 43 | boot.kernelParams = [ "exec_url=htop.sh" ]; 44 | 45 | services.getty = { 46 | loginProgram = "${pkgs.bash}/bin/bash"; 47 | loginOptions = "${execScript}"; 48 | autologinUser = "root"; 49 | }; 50 | } 51 | -------------------------------------------------------------------------------- /pkgs/tools/ipxe-forge/forge.ipxe: -------------------------------------------------------------------------------- 1 | #!ipxe 2 | 3 | set target:string https://django-pxe.pie.cri.epita.fr 4 | set defaultntp:string ntp.pie.cri.epita.fr 5 | set maxretry:int32 5 6 | 7 | :start 8 | set retryntp:int32 0 9 | set retry:int32 0 10 | 11 | ifopen || goto reboot 12 | isset ${42} && set ntp:string ${42:ipv4} || set ntp:string ${defaultntp} 13 | isset ${ip} || goto dhcp 14 | goto chain 15 | 16 | :dhcp 17 | echo Getting configuration from DHCP... 18 | ifconf -c dhcp || goto reboot 19 | isset ${42} && set ntp:string ${42:ipv4} || set ntp:string ${defaultntp} 20 | goto chain 21 | 22 | :reboot 23 | prompt --key 0x02 --timeout 2000 Rebooting, press Ctrl-B for the iPXE command line... || reboot 24 | shell 25 | goto reboot 26 | 27 | :chain 28 | inc retry 29 | prompt --key 0x02 --timeout 2000 Attempt ${retry}/${maxretry}, press Ctrl-B for the iPXE command line... && shell || 30 | chain ${target} && goto continue || 31 | iseq ${retry} 1 && goto settime || 32 | iseq ${retry} ${maxretry} && goto reboot || 33 | goto chain 34 | 35 | :settime 36 | inc retryntp 37 | prompt --key 0x03 --timeout 2000 Updating NTP attempt ${retryntp}/${maxretry}, press Ctrl-C to abort... && goto chain || 38 | ntp ${ntp:string} && goto chain || 39 | iseq ${retryntp} ${maxretry} && goto reboot || 40 | goto settime 41 | 42 | :continue 43 | prompt --key 0x02 --timeout 2000 Continue booting, press Ctrl-B for the iPXE command line... || exit 44 | shell 45 | goto continue 46 | -------------------------------------------------------------------------------- /modules/config/ldap.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | options = { 7 | cri.ldap = { 8 | enable = mkEnableOption "Enable default users"; 9 | }; 10 | }; 11 | 12 | config = mkIf config.cri.ldap.enable { 13 | services.sssd = { 14 | enable = true; 15 | config = '' 16 | [sssd] 17 | config_file_version = 2 18 | services = nss, pam, ssh 19 | domains = LDAP 20 | 21 | [nss] 22 | override_shell = ${config.users.defaultUserShell}/bin/bash 23 | 24 | [domain/LDAP] 25 | cache_credentials = true 26 | enumerate = false 27 | 28 | id_provider = ldap 29 | auth_provider = ldap 30 | 31 | ldap_uri = ldaps://ldap.pie.cri.epita.fr 32 | ldap_search_base = dc=cri,dc=epita,dc=fr 33 | ldap_user_search_base = ou=users,dc=cri,dc=epita,dc=fr?subtree?(objectClass=posixAccount) 34 | ldap_group_search_base = ou=groups,dc=cri,dc=epita,dc=fr?subtree?(objectClass=posixGroup) 35 | ldap_id_use_start_tls = true 36 | ldap_schema = rfc2307bis 37 | ldap_user_gecos = cn 38 | 39 | entry_cache_timeout = 600 40 | ldap_network_timeout = 2 41 | 42 | ignore_group_members = True 43 | ''; 44 | }; 45 | 46 | users = { 47 | ldap = { 48 | enable = true; 49 | base = "dc=cri,dc=epita,dc=fr"; 50 | server = "ldaps://ldap.pie.cri.epita.fr"; 51 | nsswitch = false; 52 | }; 53 | }; 54 | }; 55 | } 56 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Nix PIE 2 | 3 | Nix PIE is the Nix and NixOS configuration used at EPITA for the school's 4 | computer labs (about 1,000 computers accross the 6 campuses in France). 5 | 6 | ## NixOS images 7 | 8 | Computers at EPITA use network boot (PXE) to run their operating system. We 9 | provide multiple configurations called "images" that contain different sets of 10 | software depending on the course needs or student year. At boot, users are 11 | displayed a menu on which they can choose the configuration they need to use. 12 | The kernel and initrd is then downloaded through HTTPS and the rootfs is 13 | downloaded using the BitTorrent protocol in NixOS Stage 1. 14 | 15 | ## Repository structure 16 | 17 | The repository structure is similar to the official nixpkgs repository. 18 | 19 | - `images` contains all the NixOS configurations provided by the flake 20 | - `lib` contains Nix functions used in Nix PIE 21 | - `modules` contains NixOS modules 22 | - `pkgs` contains Nix derivations of software packaged by us 23 | - `profiles` contains shared NixOS configuration between images 24 | - `tests` contains NixOS tests of our configurations 25 | 26 | ## Testing 27 | 28 | To test NixOS configurations, one can start a VM using the following commands: 29 | 30 | ```sh 31 | # Build the VM 32 | nix build -L .#nixosConfigurations..config.system.build.vm 33 | 34 | # Start the VM 35 | ./result/bin/run--vm -smp 4 -m 8192 -vga qxl 36 | 37 | # Delete the generated disk image to reset the state of the VM 38 | rm *.qcow2 39 | ``` 40 | -------------------------------------------------------------------------------- /images/nixos-maths.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, inputs, system, ... }: 2 | let 3 | numpy-doc = pkgs.writeShellScriptBin "numpy-doc" '' 4 | ${pkgs.xdg-utils}/bin/xdg-open ${pkgs.numpy-doc}/index.html 5 | ''; 6 | in 7 | { 8 | imports = [ 9 | ../profiles/graphical 10 | ]; 11 | 12 | netboot.enable = true; 13 | cri.sddm.title = "NixOS Maths"; 14 | 15 | cri.packages = { 16 | pkgs = { 17 | dev.enable = true; 18 | lisp.enable = true; 19 | r.enable = true; 20 | podman.enable = true; 21 | }; 22 | }; 23 | 24 | environment.systemPackages = with pkgs; [ 25 | libreoffice 26 | gnuplot 27 | numpy-doc 28 | ]; 29 | 30 | cri.packages.pythonPackages.nixosMathsCustom = p: with p; [ 31 | pkgs.dtale 32 | beautifulsoup4 33 | dash 34 | folium 35 | graphviz 36 | imageio 37 | ipdb 38 | ipython 39 | ipywidgets 40 | jupyter 41 | jupyterlab 42 | lxml 43 | matplotlib 44 | networkx 45 | numpy 46 | openpyxl 47 | pandas 48 | #pandas-datareader # not working with python>3.12, nixpkgs#310800 49 | pkgs.jupyter-dash 50 | #jupyter-contrib-nbextensions 51 | pkgs.jupyter_latex_envs 52 | pkgs.nbtranslate 53 | squarify 54 | wikipedia 55 | plotly 56 | pycryptodome 57 | pygame 58 | pytorch 59 | torchvision 60 | scikit-learn 61 | scikitimage 62 | scipy 63 | seaborn 64 | seaborn 65 | tensorboard 66 | termcolor 67 | xarray 68 | xlrd 69 | gmpy2 70 | sounddevice 71 | soundfile 72 | pywavelets 73 | ]; 74 | } 75 | -------------------------------------------------------------------------------- /pkgs/nixpie/nixpie-utils/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , symlinkJoin 3 | , writeShellScriptBin 4 | , coreutils 5 | , gawk 6 | , gnugrep 7 | , gnused 8 | , inetutils 9 | , iproute2 10 | }: 11 | 12 | let 13 | wait_for_hostname = '' 14 | n=0 15 | until [ "''${n}" -ge 15 ] || ${gnugrep}/bin/grep domain /etc/resolv.conf 2>&1 >/dev/null; do 16 | n="$(( ''${n} + 1 ))" 17 | sleep 2 18 | done 19 | ''; 20 | get_ip = writeShellScriptBin "get_ip.sh" '' 21 | while true; do 22 | ip="$(${iproute2}/bin/ip address \ 23 | | ${gnugrep}/bin/grep 'inet ' \ 24 | | ${gnugrep}/bin/grep -v '127.0.0.' \ 25 | | ${coreutils}/bin/head -n1 \ 26 | | ${gawk}/bin/awk '{ print $2 }' \ 27 | | ${coreutils}/bin/cut -d/ -f1\ 28 | )" 29 | if [ -n "$ip" ] ; then 30 | break 31 | fi 32 | sleep 2 33 | done 34 | echo "''${ip}" 35 | ''; 36 | get_room_name = writeShellScriptBin "get_room_name.sh" '' 37 | ${wait_for_hostname} 38 | ${gnugrep}/bin/grep domain /etc/resolv.conf \ 39 | | ${gawk}/bin/awk '{ print $2 }' \ 40 | | ${gnused}/bin/sed 's/.sm.cri.epita.fr//' | cut -d. -f1 41 | ''; 42 | get_site_name = writeShellScriptBin "get_site_name.sh" '' 43 | ${wait_for_hostname} 44 | ${gnugrep}/bin/grep domain /etc/resolv.conf \ 45 | | ${gawk}/bin/awk '{ print $2 }' \ 46 | | ${gnused}/bin/sed 's/.sm.cri.epita.fr//' | cut -d. -f2 47 | ''; 48 | in 49 | symlinkJoin { 50 | name = "nixpie-utils"; 51 | 52 | paths = [ 53 | get_ip 54 | get_room_name 55 | get_site_name 56 | ]; 57 | 58 | meta = with lib; { 59 | platforms = platforms.linux; 60 | }; 61 | } 62 | -------------------------------------------------------------------------------- /modules/services/admin/salt/minion.nix: -------------------------------------------------------------------------------- 1 | { imageName, config, pkgs, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | options = { 7 | cri.salt = { 8 | enable = mkEnableOption "Enable salt"; 9 | master = mkOption { 10 | type = types.str; 11 | default = "salt.pie.cri.epita.fr"; 12 | description = "Address of the salt master server"; 13 | }; 14 | }; 15 | }; 16 | 17 | config = mkIf config.cri.salt.enable { 18 | services.salt.minion = { 19 | enable = true; 20 | configuration = { 21 | inherit (config.cri.salt) master; 22 | id = "nixpie"; 23 | startup_states = "highstate"; 24 | }; 25 | }; 26 | 27 | environment.etc."salt/minion" = mkForce { 28 | mode = "0644"; 29 | text = ( 30 | concatStringsSep "\n" 31 | (mapAttrsToList (n: v: "${n}: ${v}") config.services.salt.minion.configuration) 32 | ); 33 | }; 34 | 35 | systemd.services.salt-minion = { 36 | after = [ "network-online.target" ]; 37 | wants = [ "network-online.target" ]; 38 | path = [ "/run/current-system/sw" ]; 39 | 40 | serviceConfig = { 41 | Restart = "always"; 42 | }; 43 | 44 | preStart = '' 45 | id="$(${pkgs.nixpie-utils}/bin/get_ip.sh)" 46 | sed -i '/^id:/d' /etc/salt/minion 47 | echo -e "\nid: $id" >> /etc/salt/minion 48 | echo "$id" > /etc/salt/minion_id 49 | 50 | echo "image: ${imageName}" > /etc/salt/grains 51 | echo "room: $(${pkgs.nixpie-utils}/bin/get_room_name.sh)" >> /etc/salt/grains 52 | echo "site: $(${pkgs.nixpie-utils}/bin/get_site_name.sh)" >> /etc/salt/grains 53 | ''; 54 | }; 55 | }; 56 | } 57 | -------------------------------------------------------------------------------- /.gitlab/ci/generate-checks-pipeline.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | source "${CI_PROJECT_DIR}/.gitlab/ci/utils.sh" 6 | 7 | function getChangedChecks() { 8 | echoInfo "Evaluating checks..." 9 | nix_run nix-eval-jobs --check-cache-status --flake "${CI_PROJECT_DIR}#gitlabCiJobs.checks.x86_64-linux" | tee "${DIFF_DIR}/checks.jsonl" 1>&2 10 | jq -r '. | select(.isCached == false) | .attr' "${DIFF_DIR}/checks.jsonl" | xargs 11 | } 12 | 13 | echoInfo "Getting ready..." 14 | 15 | mkdir -p "$DIFF_DIR" 16 | 17 | print_defaults 18 | 19 | 20 | echoInfo "Starting pipeline generation..." 21 | 22 | changedChecks="" 23 | if [ -n "${ALL_CHECKS:-}" ]; then 24 | changedChecks="$(nix_run list-checks | xargs)" 25 | else 26 | changedChecks="$(getChangedChecks)" 27 | fi 28 | 29 | echoWarn "Tests to be rebuilt are: ${changedChecks}" 30 | 31 | echoInfo "Generating pipeline..." 32 | 33 | for check in ${changedChecks}; do 34 | echoInfo "Generating job for check ${check}..." 35 | cat < ~/.aws/credentials 55 | - nix copy --to "s3://\${AWS_NIX_CACHE_BUCKET}?scheme=https&endpoint=\${AWS_NIX_CACHE_ENDPOINT}" "\$buildExpression" 56 | EOF 57 | fi 58 | 59 | cat < >(sed $'s/\e/\\\\E/g') 5 | fi 6 | 7 | colorfmt() { 8 | sed -e " 9 | s/%hlbr/$(tput bold)$(tput setaf 1)/g; 10 | s/%hlr/$(tput setaf 1)/g; 11 | s/%hlbg/$(tput bold)$(tput setaf 2)/g; 12 | s/%hlg/$(tput setaf 2)/g; 13 | s/%hlbb/$(tput bold)$(tput setaf 4)/g; 14 | s/%blb/$(tput setaf 4)/g; 15 | s/%hlby/$(tput bold)$(tput setaf 3)/g; 16 | s/%hly/$(tput setaf 3)/g; 17 | s/%hlbm/$(tput bold)$(tput setaf 5)/g; 18 | s/%hlm/$(tput setaf 5)/g; 19 | s/%hlbw/$(tput bold)$(tput setaf 8)/g; 20 | s/%hlw/$(tput setaf 7)/g; 21 | s/%hl0/$(tput sgr0 || echo $'\e[0m')/g; 22 | " <<<"${1}" 23 | } 24 | 25 | center_text() { 26 | local text="$1" 27 | local width=80 28 | printf "%*s\n" $(((${#text} + width) / 2)) "$text" 29 | } 30 | 31 | # Write the content to the output file 32 | cat >$out < "${config.cri.aria2.seedlist}" 45 | ''; 46 | 47 | script = '' 48 | aria2_base="-V --file-allocation=prealloc --enable-mmap=true --bt-enable-lpd=true" 49 | aria2_summary="--summary-interval=60" 50 | aria2_nodht="--enable-dht=false --enable-dht6=false" 51 | aria2_always_seed="--seed-ratio=0" 52 | aria2_limit_bandwidth="--max-overall-upload-limit=200M" 53 | aria2_opts="$aria2_base $aria2_summary $aria2_nodht $aria2_always_seed $aria2_limit_bandwidth" 54 | 55 | ${pkgs.aria2}/bin/aria2c $aria2_opts --check-integrity --input-file=${config.cri.aria2.seedlist} 56 | ''; 57 | }; 58 | }; 59 | } 60 | -------------------------------------------------------------------------------- /pkgs/nixpie/exec-tools/install_image.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -exuo pipefail 4 | 5 | if [ -e "/proc/cmdline" ]; then 6 | 7 | cmdline=$(cat /proc/cmdline) 8 | 9 | if grep -q "nixosConfiguration=" <<< "$cmdline"; then 10 | CONFIG=$(grep -oP '(?<=nixosConfiguration=)[^ ]+' <<< "$cmdline") 11 | fi 12 | 13 | fi 14 | 15 | if [ -z "${CONFIG:-}" ]; then 16 | 17 | NIXPIE_CONFIGS="$(nix flake show --json git+https://gitlab.cri.epita.fr/forge/infra/nixpie.git | jq -r '.nixosConfigurations | keys[]' | grep -vE '(-local|-vm)$' | nl -w2 | tr '\t' ' ' | tr '\n' ' ')"; 18 | 19 | # shellcheck disable=SC2086 20 | CHOICE=$(dialog --clear --menu "Please select a configuration:" 0 0 25 $NIXPIE_CONFIGS 2>&1 >/dev/tty) 21 | 22 | 23 | CONFIG=$(awk -v num="$CHOICE" '{for(i=1; i <=NF; i+= 2) {if($i == num) print $(i+1)}}' <<< "$NIXPIE_CONFIGS") 24 | 25 | fi 26 | 27 | DISKS="$(lsblk -o NAME,SIZE -d -p -n -e7 | awk '{print "\""$1"\"" " \"" $2"\""}')" 28 | 29 | DISK_COUNT=$(echo "$DISKS" | wc -w) 30 | 31 | if [ "$DISK_COUNT" -eq 2 ]; then 32 | DISK=$(echo "$DISKS" | awk '{print $1}' | sed 's/"//g') 33 | else 34 | # shellcheck disable=SC2086 35 | DISK=$(dialog --clear --menu "Please select a disk:" 0 0 25 $DISKS 2>&1 >/dev/tty) 36 | 37 | DISK=${DISK//\"/} 38 | fi 39 | 40 | if [[ "$DISK" == /dev/nvme* ]]; then 41 | PREFIX="${DISK}p" 42 | else 43 | PREFIX="${DISK}" 44 | fi 45 | 46 | # Partition the disk 47 | parted -s "${DISK}" mklabel gpt 48 | parted -s "${DISK}" mkpart primary fat32 1MiB 1GB 49 | parted -s "${DISK}" mkpart primary linux-swap 1GB 9GB 50 | parted -s "${DISK}" mkpart primary ext4 9GB 100% 51 | 52 | sleep 3 53 | partprobe 54 | 55 | parted -s "${DISK}" set 1 esp on 56 | 57 | # Format the disks 58 | mkfs.fat -n EFI -F 32 "${PREFIX}1" 59 | mkswap "${PREFIX}2" 60 | swaplabel -L 'nixos-swap' "${PREFIX}2" 61 | mkfs.ext4 -L 'nixos-root' "${PREFIX}3" 62 | 63 | sleep 3 64 | 65 | # Mount the disk 66 | mkdir -p /mnt 67 | mount /dev/disk/by-label/nixos-root /mnt 68 | 69 | mkdir -p /mnt/boot 70 | mount /dev/disk/by-label/EFI /mnt/boot 71 | 72 | nixos-install --no-root-passwd --flake "git+https://gitlab.cri.epita.fr/forge/infra/nixpie.git#${CONFIG}-local" 73 | -------------------------------------------------------------------------------- /.gitlab/ci/generate-packages-pipeline.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | source "${CI_PROJECT_DIR}/.gitlab/ci/utils.sh" 6 | 7 | function getChangedPackages() { 8 | echoInfo "Evaluating packages..." 9 | nix_run nix-eval-jobs --check-cache-status --flake "${CI_PROJECT_DIR}#gitlabCiJobs.packages.x86_64-linux" | tee "${DIFF_DIR}/pkgs.jsonl" 1>&2 10 | jq -r '. | select(.isCached == false) | .attr' "${DIFF_DIR}/pkgs.jsonl" | xargs 11 | } 12 | 13 | echoInfo "Getting ready..." 14 | 15 | mkdir -p "$DIFF_DIR" 16 | 17 | print_defaults 18 | 19 | echoInfo "Starting pipeline generation..." 20 | 21 | changedPkgs="" 22 | if [ -n "${ALL_PACKAGES:-}" ]; then 23 | changedPkgs="$(nix_run list-pkgs | xargs)" 24 | else 25 | changedPkgs="$(getChangedPackages)" 26 | fi 27 | 28 | echoWarn "Packages to be rebuilt are: ${changedPkgs}" 29 | 30 | echoInfo "Generating pipeline..." 31 | 32 | for pkg in ${changedPkgs}; do 33 | echoInfo "Generating jobs for package ${pkg}..." 34 | cat < ~/.aws/credentials 56 | - nix copy --to "s3://\${AWS_NIX_CACHE_BUCKET}?scheme=https&endpoint=\${AWS_NIX_CACHE_ENDPOINT}" "\$buildExpression" 57 | EOF 58 | 59 | if [ "${pkg}" = "ipxe-forge" ]; then 60 | cat < ~/.aws/credentials 76 | - nix_run awscli s3 --endpoint-url "\${AWS_PXE_IMAGES_ENDPOINT}" cp --acl public-read --recursive ./result/ "s3://\${AWS_PXE_IMAGES_BUCKET}" 77 | EOF 78 | fi 79 | 80 | fi 81 | 82 | done 83 | 84 | echoSuccess "All done!" 85 | -------------------------------------------------------------------------------- /modules/packages/pkgs/tcinfo.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | # Those wrappers are needed to make the packages work with the PIE environment 4 | let 5 | # Elastic wrappers initiates the ES_HOME environment variable if not set 6 | # It also copies the elasticsearch store home from the nix store and places it 7 | # in the ES_HOME directory (keeping only what is needed) in order to make it 8 | # writable 9 | elastic-wrapper = pkgs.writeShellScriptBin "elasticsearch" '' 10 | set -e 11 | 12 | if [ -z "$ES_HOME" ]; then 13 | export ES_HOME=$HOME/.elasticsearch 14 | fi 15 | 16 | if [ ! -d "$ES_HOME" ]; then 17 | mkdir -p $ES_HOME 18 | cp -r ${pkgs.elasticsearch}/{config,lib,modules,plugins} $ES_HOME/ 19 | chmod +w -R $ES_HOME/ 20 | mkdir -p $ES_HOME/logs 21 | fi 22 | 23 | exec ${pkgs.elasticsearch}/bin/elasticsearch $@ 24 | ''; 25 | # Neo4j desktop has a problem when creating the jwt addon file by making it 26 | # read-only. This wrapper makes sure the file is created before starting the 27 | # application and that it is writable (it makes the errors disappear but 28 | # breaks authentication, so it needs to be disabled in the GUI after starting) 29 | neo4j-desktop-wrapper = pkgs.writeShellScriptBin "neo4j-desktop" '' 30 | set -e 31 | 32 | CONFIG="$HOME/.config/Neo4j Desktop" 33 | 34 | if [ ! -d "$CONFIG" ]; then 35 | PATCH_DIR="$CONFIG/Application/relate-data/plugin-versions" 36 | mkdir -p "$PATCH_DIR" 37 | PATCH_FILE="$PATCH_DIR/neo4j-jwt-addon.json" 38 | touch "$PATCH_FILE" 39 | chmod 644 "$PATCH_FILE" 40 | fi 41 | 42 | exec ${pkgs.neo4j-desktop}/bin/neo4j-desktop $@ 43 | ''; 44 | in 45 | { 46 | options = { 47 | cri.packages.pkgs.tcinfo.enable = lib.options.mkEnableOption "TCINFO CRI package bundle"; 48 | }; 49 | 50 | config = lib.mkIf config.cri.packages.pkgs.tcinfo.enable { 51 | cri.packages.pkgs = { 52 | java.enable = true; 53 | podman.enable = true; 54 | }; 55 | 56 | environment.systemPackages = with pkgs; [ 57 | # Elastic 58 | elastic-wrapper 59 | # MongoDB 60 | mongodb-ce 61 | mongodb-tools 62 | mongosh 63 | # Neo4j 64 | neo4j 65 | neo4j-desktop-wrapper 66 | kubectl 67 | ]; 68 | }; 69 | } 70 | -------------------------------------------------------------------------------- /profiles/graphical/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, config, lib, ... }: 2 | 3 | with lib; 4 | let 5 | Xresources = pkgs.writeText "Xresources" '' 6 | *.scrollBar : false 7 | *metaSendsEscape : true 8 | *sessionMgt : false 9 | *utf8 : always 10 | ! colors 11 | *.foreground : white 12 | *.background : black 13 | ! make dark blue color more readable 14 | *.color12 : #2ca2f5 15 | 16 | URxvt.font : xft:DejaVu Sans Mono:pixelsize=10:antialias=true:hinting=true 17 | ''; 18 | in 19 | { 20 | cri = { 21 | bluetooth.enable = true; 22 | i3.enable = true; 23 | redshift.enable = true; 24 | sddm.enable = true; 25 | sound.enable = true; 26 | idle-shutdown.enable = true; 27 | sm-inventory-agent.enable = true; 28 | }; 29 | 30 | cri.packages.pkgs.desktop.enable = true; 31 | 32 | services.xserver = { 33 | enable = true; 34 | autorun = true; 35 | 36 | xkb.layout = "us,fr,gb"; 37 | displayManager = { 38 | setupCommands = '' 39 | ${pkgs.xorg.setxkbmap}/bin/setxkbmap us,fr,gb 40 | ''; 41 | 42 | sessionCommands = '' 43 | ${pkgs.xorg.xrdb}/bin/xrdb -merge ${Xresources} 44 | ''; 45 | }; 46 | }; 47 | 48 | environment.variables = { 49 | TERMINAL = "${pkgs.alacritty}/bin/alacritty"; 50 | }; 51 | 52 | xdg.mime.defaultApplications = { 53 | "x-scheme-handler/http" = "firefox.desktop"; 54 | "x-scheme-handler/https" = "firefox.desktop"; 55 | "x-scheme-handler/mailto" = "thunderbird.desktop"; 56 | "text/html" = "firefox.desktop"; 57 | "application/x-extension-htm" = "firefox.desktop"; 58 | "application/x-extension-html" = "firefox.desktop"; 59 | "application/x-extension-shtml" = "firefox.desktop"; 60 | "application/xhtml+xml" = "firefox.desktop"; 61 | "application/x-extension-xhtml" = "firefox.desktop"; 62 | "application/x-extension-xht" = "firefox.desktop"; 63 | }; 64 | 65 | fonts = { 66 | enableDefaultPackages = true; 67 | packages = with pkgs; [ 68 | dejavu_fonts 69 | ]; 70 | fontconfig = { 71 | enable = true; 72 | hinting.enable = true; 73 | }; 74 | }; 75 | 76 | environment.etc."chromium/policies/recommended/spnego.json".text = builtins.toJSON { 77 | AuthServerAllowlist = "*cri.epita.fr,*forge.epita.fr"; 78 | DisableAuthNegotiateCnameLookup = true; 79 | }; 80 | } 81 | -------------------------------------------------------------------------------- /images/nixos-gpgpu.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | imports = [ 5 | ../profiles/graphical 6 | ]; 7 | 8 | netboot.enable = true; 9 | cri.sddm.title = "NixOS GPGPU"; 10 | cri.sshd.allowUsers = true; 11 | 12 | services.xserver.videoDrivers = [ "nvidia" ]; 13 | hardware.nvidia.open = false; 14 | 15 | boot.extraModprobeConfig = '' 16 | options nvidia NVreg_RestrictProfilingToAdminUsers=0 NVreg_DeviceFileMode=0666 17 | ''; 18 | 19 | boot.kernelParams = [ 20 | "nomodeset" 21 | ]; 22 | 23 | environment.pathsToLink = [ 24 | "/nvvm" 25 | "/nvvmx" 26 | "/targets" 27 | ]; 28 | 29 | cri.packages = { 30 | pkgs = { 31 | dev.enable = true; 32 | gpgpu.enable = true; 33 | opengl.enable = true; 34 | }; 35 | }; 36 | 37 | environment.variables = { 38 | CUDA_PATH = "${pkgs.cudatoolkit}"; 39 | }; 40 | 41 | # On SSH OpenStack GPU instances, students tend to use all the memory and the 42 | # system ends up unresponsive. This allows systemd-oomd to take action on 43 | # student's processes before the memory is full. 44 | systemd.oomd.enableUserSlices = true; 45 | 46 | environment.etc."nixos-gpgpu/shell.nix".text = '' 47 | let 48 | system = "x86_64-linux"; 49 | 50 | nixpie = import ; 51 | 52 | inherit (nixpie.inputs.nixpkgs) lib; 53 | inherit (lib) attrValues; 54 | 55 | pkgs = import nixpie.inputs.nixpkgs { 56 | inherit system; 57 | config = { 58 | allowUnfree = true; 59 | }; 60 | overlays = (attrValues nixpie.overlays) ++ [ nixpie.overrides.''${system} ]; 61 | }; 62 | in 63 | pkgs.mkShell { 64 | name = "cuda-env-shell"; 65 | buildInputs = with pkgs; [ 66 | git gitRepo gnupg autoconf curl 67 | procps gnumake utillinux m4 gperf unzip cmake 68 | linuxPackages.nvidia_x11 69 | libGLU libGL 70 | xorg.libXi xorg.libXmu freeglut 71 | xorg.libXext xorg.libX11 xorg.libXv xorg.libXrandr zlib pngpp tbb 72 | ncurses5 stdenv.cc binutils 73 | ]; 74 | shellHook = with pkgs;'' + "''" + '' 75 | export CUDA_PATH=''${pkgs.cudaPackages.cudatoolkit} 76 | export LD_LIBRARY_PATH=''${linuxPackages.nvidia_x11}/lib:''${ncurses5}/lib:''${libkrb5}/lib:$LD_LIBRARY_PATH 77 | export EXTRA_LDFLAGS="-L/lib -L''${linuxPackages.nvidia_x11}/lib $EXTRA_LDFLAGS" 78 | export EXTRA_CCFLAGS="-I/usr/include $EXTRA_CCFLAGS" 79 | '' + "''" + ''; 80 | } 81 | ''; 82 | } 83 | -------------------------------------------------------------------------------- /modules/packages/pkgs/desktop.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | with lib; 4 | let 5 | cfg = config.cri.packages.pkgs.desktop; 6 | in 7 | { 8 | options = { 9 | cri.packages.pkgs.desktop = { 10 | enable = mkEnableOption "desktop CRI package bundle"; 11 | firefox = { 12 | toolbarBookmarks = mkOption { 13 | default = [ ]; 14 | type = with types; listOf (attrsOf str); 15 | description = "List of Firefox bookmarks to add in toolbar"; 16 | example = [ 17 | { 18 | Title = "Forge ID"; 19 | URL = "https://cri.epita.fr"; 20 | Favicon = "https://s3.cri.epita.fr/cri-intranet/img/logo.png"; 21 | } 22 | ]; 23 | }; 24 | extraPolicies = mkOption { 25 | default = { }; 26 | type = types.attrs; 27 | description = "Extra Firefox policies to apply"; 28 | example = { 29 | CaptivePortal = false; 30 | DisableFirefoxStudies = true; 31 | }; 32 | }; 33 | }; 34 | }; 35 | }; 36 | 37 | config = mkIf cfg.enable { 38 | 39 | environment.systemPackages = with pkgs; [ 40 | # browsers 41 | chromium 42 | (wrapFirefox firefox-unwrapped { 43 | extraPrefs = '' 44 | pref("network.negotiate-auth.trusted-uris", "cri.epita.fr,.cri.epita.fr"); 45 | pref("network.trr.excluded-domains", "cri.epita.fr"); 46 | ''; 47 | extraPolicies = cfg.firefox.extraPolicies // (optionalAttrs (builtins.length cfg.firefox.toolbarBookmarks > 0) { 48 | Bookmarks = builtins.map (bookmark: bookmark // { Placement = "toolbar"; }) cfg.firefox.toolbarBookmarks; 49 | DisplayBookmarksToolbar = "always"; 50 | }); 51 | }) 52 | 53 | # communication 54 | thunderbird 55 | 56 | # editors 57 | (emacs.pkgs.withPackages (epkgs: (with epkgs.melpaStablePackages; [ 58 | tuareg 59 | ]))) 60 | 61 | # images 62 | feh 63 | gimp 64 | imagemagick 65 | scrot 66 | 67 | # misc 68 | alacritty 69 | bc 70 | dialog 71 | zenity 72 | hicolor-icon-theme 73 | keepassxc 74 | mlocate 75 | netcat-openbsd 76 | rlwrap 77 | rxvt-unicode 78 | xorg.xeyes 79 | xorg.xinit 80 | xorg.xkill 81 | xsel 82 | xterm 83 | x11vnc 84 | 85 | # pdf reader 86 | evince 87 | zathura 88 | 89 | # video tools 90 | vlc 91 | 92 | # back to home 93 | discord 94 | ]; 95 | }; 96 | } 97 | -------------------------------------------------------------------------------- /modules/packages/pkgs/nts.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | let 3 | SecLists = pkgs.fetchFromGitHub { 4 | owner = "danielmiessler"; 5 | repo = "SecLists"; 6 | rev = "39657bcc05d9dc1637bf30dd0dea0dc70b8ad751"; 7 | sha256 = "yVxb5GaQDuCsyjIV+oZzNUEFoq6gMPeaIeQviwGdAgY="; 8 | }; 9 | firefoxBurpProfile = "$HOME/.firefox-burps-profile"; 10 | prefsJs = pkgs.writeText "pref.js" '' 11 | user_pref("network.proxy.allow_hijacking_localhost", true); 12 | user_pref("network.proxy.backup.ssl", ""); 13 | user_pref("network.proxy.backup.ssl_port", 0); 14 | user_pref("network.proxy.http", "127.0.0.1"); 15 | user_pref("network.proxy.http_port", 8080); 16 | user_pref("network.proxy.share_proxy_settings", true); 17 | user_pref("network.proxy.ssl", "127.0.0.1"); 18 | user_pref("network.proxy.ssl_port", 8080); 19 | user_pref("network.proxy.type", 1); 20 | ''; 21 | firefox-burp = pkgs.writeScriptBin "firefox-burp" '' 22 | ${pkgs.firefox}/bin/firefox --profile "${firefoxBurpProfile}" 23 | ''; 24 | nts-start = pkgs.writeScriptBin "nts-start" '' 25 | ${firefox-burp}/bin/firefox-burp & 26 | ${pkgs.firefox}/bin/firefox & 27 | ${pkgs.burpsuite}/bin/burpsuite & 28 | ''; 29 | in 30 | { 31 | options = { 32 | cri.packages.pkgs.nts.enable = lib.options.mkEnableOption "NTS CRI package bundle"; 33 | }; 34 | 35 | config = lib.mkIf config.cri.packages.pkgs.nts.enable { 36 | 37 | cri.users.sessionOpenScript = '' 38 | ln -s ${SecLists} "$HOME/SecLists" || true 39 | mkdir -p ${firefoxBurpProfile} 40 | if [ ! -f "${firefoxBurpProfile}/prefs.js" ]; then 41 | cp ${prefsJs} "${firefoxBurpProfile}/prefs.js" 42 | fi 43 | ''; 44 | 45 | environment.systemPackages = with pkgs; [ 46 | burpsuite 47 | wfuzz 48 | ffuf 49 | dirbuster 50 | gobuster 51 | thc-hydra 52 | sqlmap 53 | john 54 | hashcat 55 | 56 | firefox-burp 57 | nts-start 58 | ]; 59 | 60 | virtualisation.oci-containers.containers = { 61 | dvwa = rec { 62 | image = "vulnerables/web-dvwa"; 63 | ports = [ "80:80" ]; 64 | 65 | imageFile = pkgs.dockerTools.pullImage { 66 | imageName = image; 67 | 68 | imageDigest = "sha256:dae203fe11646a86937bf04db0079adef295f426da68a92b40e3b181f337daa7"; 69 | sha256 = "sha256-8XV3YQAwtwKkL0MzH1iui7CZMFLMz9uTvkaCvyb6OKU="; 70 | 71 | finalImageName = image; 72 | finalImageTag = "latest"; 73 | 74 | os = "linux"; 75 | arch = "x86_64"; 76 | }; 77 | }; 78 | }; 79 | }; 80 | } 81 | -------------------------------------------------------------------------------- /.gitlab/ci/templates.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | stages: 4 | - generate 5 | - trigger 6 | - test 7 | - build 8 | - qa 9 | - deploy 10 | - docker 11 | - misc 12 | 13 | .rules-default: 14 | rules: 15 | - if: '$CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_SOURCE_PROJECT_URL == "https://gitlab.cri.epita.fr/forge/infra/nixpie"' 16 | - if: $CI_COMMIT_TAG 17 | - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH 18 | 19 | 20 | .default: 21 | extends: .rules-default 22 | image: registry.cri.epita.fr/forge/infra/nixpie/nix # only used for forks 23 | needs: [] 24 | tags: 25 | - nix 26 | before_script: 27 | - mkdir -p ~/.aws 28 | - echo "[default]" > ~/.aws/config 29 | - source .gitlab/ci/utils.sh 30 | # Fix nix errors about dirty tree 31 | - git switch -t origin/master 32 | - git reset --hard $CI_COMMIT_SHA 33 | 34 | .rules-fork-default: 35 | rules: 36 | - if: '$CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_SOURCE_PROJECT_URL != "https://gitlab.cri.epita.fr/forge/infra/nixpie"' 37 | 38 | .fork-default: 39 | extends: .rules-fork-default 40 | tags: [] 41 | 42 | .generate: 43 | extends: .default 44 | stage: generate 45 | artifacts: 46 | paths: 47 | - pipeline.yml 48 | 49 | .generate-pipelines: 50 | extends: .generate 51 | artifacts: 52 | paths: 53 | - pipeline.yml 54 | 55 | .trigger: 56 | extends: .rules-default 57 | stage: trigger 58 | trigger: 59 | strategy: depend 60 | include: 61 | - job: generate 62 | artifact: pipeline.yml 63 | 64 | .test: 65 | extends: .default 66 | stage: test 67 | 68 | .build: 69 | extends: .default 70 | stage: build 71 | 72 | .qa: 73 | extends: .default 74 | stage: qa 75 | 76 | .deploy: 77 | extends: .default 78 | stage: deploy 79 | allow_failure: true 80 | rules: 81 | - when: manual 82 | 83 | .misc: 84 | extends: .default 85 | stage: misc 86 | 87 | .docker: 88 | extends: .default 89 | stage: docker 90 | needs: 91 | - build 92 | before_script: 93 | - !reference [.default, before_script] 94 | - nix_run skopeo login registry.cri.epita.fr --username $CI_REGISTRY_USER --password $CI_REGISTRY_PASSWORD 95 | script: 96 | - export buildExpression=".#${IMAGE}-docker" 97 | - nix -L build --impure "$buildExpression" 98 | - nix_run skopeo --insecure-policy copy "docker-archive:$(readlink -f ./result)" docker://$CI_REGISTRY_IMAGE/$IMAGE:$CI_COMMIT_SHA 99 | - nix_run skopeo --insecure-policy copy "docker-archive:$(readlink -f ./result)" docker://$CI_REGISTRY_IMAGE/$IMAGE:latest 100 | allow_failure: true 101 | rules: 102 | - when: manual 103 | -------------------------------------------------------------------------------- /images/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , nixpkgs 3 | , nixpkgsMaster 4 | , nixpkgsUnstable 5 | , pkgset 6 | , self 7 | , system 8 | , ... 9 | } @ inputs: 10 | let 11 | 12 | makeLocal = { ... } @ attr: builtins.listToAttrs (map (x: { name = "${x}-local"; value = (builtins.getAttr x attr) // { isLocal = true; }; }) (builtins.filter (x: (builtins.match (".+" + "-vm") x) == null) (builtins.attrNames attr))); 13 | 14 | nixosSystem = imageName: { isVM ? false, isLocal ? false, extraModules ? [ ] } @ args: 15 | let 16 | _imageName = if isVM then lib.removeSuffix "-vm" imageName else if isLocal then lib.removeSuffix "-local" imageName else imageName; 17 | 18 | specialArgs = import ./special-args.nix inputs imageName; 19 | 20 | modules = 21 | let 22 | inherit (import ./modules.nix inputs imageName) core global flakeModules; 23 | local = import "${toString ./.}/${_imageName}.nix"; 24 | in 25 | flakeModules ++ [ core global local ] ++ (lib.optional isVM ../profiles/vm) ++ (lib.optional isLocal ../profiles/local) ++ extraModules; 26 | in 27 | lib.nixosSystem { 28 | inherit system specialArgs; 29 | 30 | 31 | modules = modules ++ [ 32 | ({ lib, modulesPath, ... }: { 33 | system.build.vm = (import "${modulesPath}/../lib/eval-config.nix" { 34 | inherit system specialArgs; 35 | modules = modules ++ [ 36 | "${modulesPath}/virtualisation/qemu-vm.nix" 37 | { 38 | netboot.enable = lib.mkVMOverride false; 39 | networking.nameservers = lib.mkVMOverride [ "1.1.1.1" ]; 40 | cri.users.checkEpitaUserAllowed = false; 41 | cri.sm-inventory-agent.enable = lib.mkForce false; 42 | } 43 | ]; 44 | }).config.system.build.vm; 45 | }) 46 | ]; 47 | }; 48 | 49 | allHosts = { 50 | "nixos-docker" = { }; 51 | "nixos-exec" = { }; 52 | #"nixos-gpgpu" = { }; # disabled because cuda on NixOS is broken 53 | "nixos-image" = { }; 54 | "nixos-lan" = { }; 55 | "nixos-maths" = { }; 56 | "nixos-net" = { }; 57 | "nixos-nts" = { }; 58 | "nixos-pie" = { }; 59 | "nixos-prepa" = { }; 60 | "nixos-test" = { }; 61 | "nixos-immersion" = { }; 62 | "nixos-ssse" = { }; 63 | "nixos-majeures" = { }; 64 | "nixos-summer-program" = { }; 65 | "nixos-cnix-tty" = { }; 66 | 67 | "exam-pie" = { }; 68 | "exam-prepa" = { }; 69 | "exam-maths" = { }; 70 | "exam-majeures" = { }; 71 | 72 | "nixos-exec-vm" = { isVM = true; }; 73 | "nixos-pie-vm" = { isVM = true; }; 74 | "nixos-prepa-vm" = { isVM = true; }; 75 | "nixos-test-vm" = { isVM = true; }; 76 | 77 | "france-ioi" = { }; 78 | "exam-france-ioi" = { }; 79 | }; 80 | 81 | localHosts = makeLocal allHosts; 82 | 83 | hosts = lib.mapAttrs nixosSystem (allHosts // localHosts); 84 | in 85 | hosts 86 | -------------------------------------------------------------------------------- /modules/packages/pkgs/ssse.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | let 4 | espIdfShell = pkgs.mkShell { 5 | name = "esp-idf-full-shell"; 6 | 7 | buildInputs = with pkgs; [ 8 | esp-idf-full 9 | ]; 10 | }; 11 | # Okay I spent way too much time on this one and this is the only thing I 12 | # could come up with. I am sorry for this monstruosity but bear with me 13 | # because it is a wild ride. The goal here is to have a script that launches a 14 | # nix shell with esp idf packages but I want the shell and its dependencies to 15 | # already be built to avoid downloading all the packages at runtime. However, 16 | # when I specify espIdfShell.drvPath in the script, it adds the derivation 17 | # itself (instead of its output) as a dependency for the script derivation 18 | # (because string interpolation adds the Nix store path to the context of the 19 | # whole string). Because of this, a bunch of unexpected paths end up in the 20 | # closure of our toplevel NixOS module. These paths appear in the 21 | # pkgs.closureInfo function but Nix itself does not consider theses paths as 22 | # real dependencies (I didn't dig the specifics any more). So when we build 23 | # our final store squashfs, the derivation tries to add these unexpected paths 24 | # to the archive but Nix does not add them to the build sandbox so everything 25 | # fails. 26 | # The solution : remove the context so that the derivation itself doesn't 27 | # become a dependency. Then I add the derivation output path in the script as 28 | # in a comment so that the derivation is built and appears in our final store. 29 | espIdfShellDrvPath = builtins.unsafeDiscardStringContext "${espIdfShell.drvPath}"; 30 | espIdfShellStart = pkgs.writeShellScriptBin "esp-idf-shell" '' 31 | # nix shell for ${espIdfShell} 32 | # don't remove above line to enforce derivation build at image build 33 | ${config.nix.package}/bin/nix develop ${espIdfShellDrvPath} 34 | ''; 35 | in 36 | { 37 | options = { 38 | cri.packages.pkgs.ssse.enable = 39 | lib.options.mkEnableOption "dev SSSE CRI package bundle"; 40 | }; 41 | 42 | config = lib.mkIf config.cri.packages.pkgs.ssse.enable { 43 | cri.packages.python.ssse.enable = lib.mkDefault true; 44 | 45 | environment.systemPackages = with pkgs; [ 46 | arduino 47 | julia 48 | kicad-unstable 49 | liberio 50 | mosquitto 51 | nodePackages.node-red 52 | platformio-core 53 | sfml 54 | asio 55 | jsoncpp 56 | gnuplot 57 | tig 58 | ngspice 59 | pulseview 60 | sigrok-cli 61 | vscodium 62 | tlaplusToolbox 63 | espIdfShellStart 64 | framac 65 | 66 | # FORGE #65302 67 | ghidra-bin 68 | gcc-arm-embedded 69 | ]; 70 | 71 | environment.etc."security/group.conf".text = '' 72 | *;*;*;Al0000-2400;dialout 73 | ''; 74 | security.pam.services.sddm.text = lib.mkBefore '' 75 | auth required pam_group.so 76 | ''; 77 | }; 78 | } 79 | -------------------------------------------------------------------------------- /.gitlab-ci.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | include: 4 | # Overriden in .rules-default but left here for reference 5 | - template: Workflows/MergeRequest-Pipelines.gitlab-ci.yml 6 | - local: .gitlab/ci/templates.yml 7 | 8 | generate checks pipelines: 9 | extends: .generate-pipelines 10 | script: 11 | - .gitlab/ci/generate-checks-pipeline.sh | tee pipeline.yml 12 | 13 | generate checks pipelines for forks: 14 | extends: 15 | - generate checks pipelines 16 | - .fork-default 17 | 18 | generate images pipelines: 19 | extends: .generate-pipelines 20 | script: 21 | - .gitlab/ci/generate-images-pipeline.sh | tee pipeline.yml 22 | 23 | generate images pipelines for forks: 24 | extends: 25 | - generate images pipelines 26 | - .fork-default 27 | 28 | generate packages pipelines: 29 | extends: .generate-pipelines 30 | script: 31 | - .gitlab/ci/generate-packages-pipeline.sh | tee pipeline.yml 32 | 33 | generate packages pipelines for forks: 34 | extends: 35 | - generate packages pipelines 36 | - .fork-default 37 | 38 | trigger checks pipelines: 39 | extends: .trigger 40 | needs: 41 | - generate checks pipelines 42 | trigger: 43 | include: 44 | - job: generate checks pipelines 45 | artifact: pipeline.yml 46 | 47 | trigger checks pipelines for forks: 48 | extends: 49 | - trigger checks pipelines 50 | - .rules-fork-default 51 | needs: 52 | - generate checks pipelines for forks 53 | trigger: 54 | include: 55 | - job: generate checks pipelines for forks 56 | artifact: pipeline.yml 57 | 58 | trigger images pipelines: 59 | extends: .trigger 60 | needs: 61 | - generate images pipelines 62 | trigger: 63 | include: 64 | - job: generate images pipelines 65 | artifact: pipeline.yml 66 | 67 | trigger images pipelines for forks: 68 | extends: 69 | - trigger images pipelines 70 | - .rules-fork-default 71 | needs: 72 | - generate images pipelines for forks 73 | trigger: 74 | include: 75 | - job: generate images pipelines for forks 76 | artifact: pipeline.yml 77 | 78 | trigger packages pipelines: 79 | extends: .trigger 80 | needs: 81 | - generate packages pipelines 82 | trigger: 83 | include: 84 | - job: generate packages pipelines 85 | artifact: pipeline.yml 86 | 87 | trigger packages pipelines for forks: 88 | extends: 89 | - trigger packages pipelines 90 | - .rules-fork-default 91 | needs: 92 | - generate packages pipelines for forks 93 | trigger: 94 | include: 95 | - job: generate packages pipelines for forks 96 | artifact: pipeline.yml 97 | 98 | # Lint 99 | 100 | show: 101 | extends: .qa 102 | script: 103 | - nix flake show 104 | 105 | show for forks: 106 | extends: 107 | - show 108 | - .fork-default 109 | 110 | fmt: 111 | extends: .qa 112 | script: 113 | - nix run .#nixpkgs-fmt -- --check $(find -name \*.nix) 114 | after_script: 115 | - nix run .#nixpkgs-fmt -- $(find -name \*.nix) 116 | - git diff | tee nixpkgs-fmt.diff 117 | artifacts: 118 | when: on_failure 119 | expose_as: "nixpkgs-fmt diff" 120 | paths: 121 | - nixpkgs-fmt.diff 122 | 123 | fmt for forks: 124 | extends: 125 | - fmt 126 | - .fork-default 127 | 128 | # Docker 129 | 130 | nix-docker: 131 | extends: .docker 132 | needs: [] 133 | variables: 134 | IMAGE: nix 135 | -------------------------------------------------------------------------------- /pkgs/nixpie/exam-start/exam-start: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import sh 3 | 4 | from getpass import getuser 5 | from termcolor import colored 6 | from sys import exit, stderr 7 | from pathlib import Path 8 | from requests import Session 9 | from requests_gssapi import HTTPSPNEGOAuth, exceptions as spnego_exceptions 10 | 11 | EXAM_GIT_SERVER = "git.exam.forge.epita.fr" 12 | 13 | 14 | class User: 15 | class AuthFailed(RuntimeError): 16 | pass 17 | 18 | ATTR_MAP = { 19 | "firstname": "first_name", 20 | "lastname": "last_name", 21 | "email": "email", 22 | } 23 | 24 | USERINFO_ENDPOINT = "https://cri.epita.fr/api/v2/users/me/" 25 | SSH_KNOWN_HOSTS_PATH = Path("~/.ssh/known_hosts").expanduser() 26 | 27 | def __init__(self, login, session): 28 | self.login = login 29 | try: 30 | r = session.get(self.USERINFO_ENDPOINT) 31 | except spnego_exceptions.SPNEGOExchangeError as e: 32 | raise self.AuthFailed(str(e)) 33 | 34 | if r.status_code != 200: 35 | raise self.AuthFailed("status_code={r.status_code}: {r.text}") 36 | 37 | data = r.json() 38 | 39 | if data.get("login") != login: 40 | raise self.AuthFailed( 41 | f"login mismatch: expected '{login}' got '{data.get('login')}'" 42 | ) 43 | 44 | for attr, key in self.ATTR_MAP.items(): 45 | setattr(self, attr, data.get(key)) 46 | 47 | def __str__(self): 48 | return self.login 49 | 50 | def get_full_name(self): 51 | return f"{self.firstname} {self.lastname}" 52 | 53 | def configure_git(self): 54 | try: 55 | sh.git("config", "--global", "user.email", self.email) 56 | sh.git("config", "--global", "user.name", self.get_full_name()) 57 | sh.git("config", "--global", "push.default", "simple") 58 | 59 | self.SSH_KNOWN_HOSTS_PATH.parent.mkdir(parents=True, exist_ok=True) 60 | with open(self.SSH_KNOWN_HOSTS_PATH, "w+") as f: 61 | sh.Command("ssh-keyscan")(EXAM_GIT_SERVER, _out=f) 62 | except sh.ErrorReturnCode: 63 | print( 64 | colored( 65 | "Error while configuring git", 66 | "red", 67 | attr=["bold"], 68 | ), 69 | ) 70 | 71 | def data(self): 72 | return "\n".join( 73 | ( 74 | f"login : {self.login}", 75 | f"firstname: {self.firstname}", 76 | f"lastname: {self.lastname}", 77 | f"email: {self.email}", 78 | ), 79 | ) 80 | 81 | 82 | if __name__ == "__main__": 83 | cri_login = getuser() 84 | if cri_login in ["epita", "root"]: 85 | print( 86 | colored(f"{cri_login} is not a student", "red", attrs=["bold"]), 87 | file=stderr, 88 | ) 89 | exit(1) 90 | 91 | session = Session() 92 | session.auth = HTTPSPNEGOAuth(opportunistic_auth=True) 93 | 94 | try: 95 | user = User(cri_login, session) 96 | except User.AuthFailed as e: 97 | print( 98 | colored(f"Login failed: {e}", "red", attrs=["bold"]), 99 | file=stderr, 100 | ) 101 | exit(1) 102 | 103 | print(user.data()) 104 | user.configure_git() 105 | print(colored("Exam is ready", "green", attrs=["bold"])) 106 | -------------------------------------------------------------------------------- /modules/services/networking/sshd/ssh_host_rsa_key: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn 3 | NhAAAAAwEAAQAAAgEA4xEfQPAA0MaKHHs8arfTCjTk8F5/fgNZIc+Do11asRHLNMXr8pYe 4 | HGnsdpCrhK55Jmh29ixKfvza2G0Ik+rcQ1anKaVLxx3SDb2YHKZhwZOgd8AvOEbeizU5vF 5 | UnZNdyklxG9t/FY/NKm6JhwPtRIwqGaKEMFEFqhc+GgOu70Y+9zzj5hngZLRP/WYEJotII 6 | usAyYF0eWQcWSpBDV1XqTmwuZT/dTAdRaRyEyaf+Pu7hV/HDHURpT0Hr7RGqEDPQi2UDFP 7 | +SH2GDCI+19X74NaP15QMrlk36KvEjToHaKk1dPLXv1xj/z6CDggzAIEcVjZKOWGOWJxg7 8 | MWHvgWHhD8NUAkr1oDHl/sMx605Pxb9okEJmyZ0/kWs3GJRp48z7yg0YNSSbhWghEh0b2L 9 | ilZZX6yfd/pDzIGGu1RWfFsXSmd6gzHteoh8ueFh0MJK2ivTFPR01vm9yTW5riswIVu8LL 10 | ssmL4OGYsXbYyka6t5ALr9z3wuYcFcHHtc9EwKr7vr58BVI2wgJBSGJ2BZUKj8k4mLGza9 11 | 03u2L78qAay3SqjC8nA9766gyCt8x87attN0zHp4O8+mmePvryafRPH/il9CPTHiziTKVI 12 | xkrO2LpjSTAuRJkBq1dSFm96/yWo4+/bh64aPlk7oUMSOAtJZDbcIhRTvINVNf0uhwGsoJ 13 | sAAAc4TaLUNE2i1DQAAAAHc3NoLXJzYQAAAgEA4xEfQPAA0MaKHHs8arfTCjTk8F5/fgNZ 14 | Ic+Do11asRHLNMXr8pYeHGnsdpCrhK55Jmh29ixKfvza2G0Ik+rcQ1anKaVLxx3SDb2YHK 15 | ZhwZOgd8AvOEbeizU5vFUnZNdyklxG9t/FY/NKm6JhwPtRIwqGaKEMFEFqhc+GgOu70Y+9 16 | zzj5hngZLRP/WYEJotIIusAyYF0eWQcWSpBDV1XqTmwuZT/dTAdRaRyEyaf+Pu7hV/HDHU 17 | RpT0Hr7RGqEDPQi2UDFP+SH2GDCI+19X74NaP15QMrlk36KvEjToHaKk1dPLXv1xj/z6CD 18 | ggzAIEcVjZKOWGOWJxg7MWHvgWHhD8NUAkr1oDHl/sMx605Pxb9okEJmyZ0/kWs3GJRp48 19 | z7yg0YNSSbhWghEh0b2LilZZX6yfd/pDzIGGu1RWfFsXSmd6gzHteoh8ueFh0MJK2ivTFP 20 | R01vm9yTW5riswIVu8LLssmL4OGYsXbYyka6t5ALr9z3wuYcFcHHtc9EwKr7vr58BVI2wg 21 | JBSGJ2BZUKj8k4mLGza903u2L78qAay3SqjC8nA9766gyCt8x87attN0zHp4O8+mmePvry 22 | afRPH/il9CPTHiziTKVIxkrO2LpjSTAuRJkBq1dSFm96/yWo4+/bh64aPlk7oUMSOAtJZD 23 | bcIhRTvINVNf0uhwGsoJsAAAADAQABAAACAQC2bI8bcLZ3BMr4ztlfM4hNbulvY7wx1SbK 24 | zxkHKn0uPQlwwIIrRwex9DeRmfDyi+mxPcQ1SqgfFa4Mqqx1if6j6v4pqy8SLZcQiv2mJt 25 | Xq21vUWYaWQ/mPBZf5AsC/d4gIpjItLOI8xr1uBCtdC4vIBzCs5pX5wASAtJVvBfTDDCSG 26 | U1PFAL/ZQ3OmyNChCvUQdFEEsksrY1I5XWV8yP2RO8Caf5CfAFIbjFnyWREeJnTMXuNOpC 27 | OnFWMh90sV8UrecqzjNeCDbagEPNEHBpcLIUrwTne6LbOKxGiFLjXEPptlpxWlTeRXPrHo 28 | za2dQP7D2raZtIhxqDoGFpSA8c4JhGELBvP1pYzK0yHUlmptlO9/3Q2cwj0Bvc9ZE43CdU 29 | ba78z+IGJpeWz3f1uv0gUJ2A6IcXZUCHdTZ0NjhT1mofkqnKxWeeHpII3Du2cQFqQFS/PZ 30 | S7TbcPhgByokIPq0+b0aALmibfVLY9x6iMGD12ciw3fa7FskX1wvYhoTmirfwpH42UMDVr 31 | ppmnlXZxtNTytK4r82PAbfXYFIPiWGGuo4M8BP3roMSIs6hUayX16aRMBp24dpmb/+1yP7 32 | BHIwDCMea1Pocyz2gWTrMVl98cisj9jiLZpaqze/lyev0/HvNtlqGax3YaDlCVFr/Yftk3 33 | CHtNEGxirJGQs+YMF5IQAAAQEA7KgOO6Ooxqjhycu6AFZs7bZZ+ycU3NjYP6LTHC+zOdRb 34 | RHnZ+CNT8ztcCoJ98dJ4yCKGhqjfb6TgLyXWrWFCrVUWccEK4JmyNhI65Ld3w/Zop9JKMI 35 | vo0BZMEGTIjp2Uof6NhWTBIGtBOULw6kRiwDsXTneaPgATj1Vood/FjJWw6xSjuInzoGvR 36 | rvV5GwN1Z0GUjasPnmfmcNVllYFIz9cJwMHEPLkoOo0mrxRTR9BJatjQI/xbcZukuLmAae 37 | zvJWswaLt7Y2SqOqXqSvFWsAHEGhhwpryAIyes+Smjg2rQHZgTp7AgF4zXvq+O+yom9s4e 38 | WHuSXSk3qFhWZ6yyHQAAAQEA+Ljo+Sp6b2ceM7ECiI48FlUzvs415JLrKB4iDlMB9CpJCD 39 | hVSQLb3xyEgZso4JjpBQC17xGtyeGxyX0nOvJu9/G9SbnP5I8YEy0bHLFKAsP7LXhw9Bdd 40 | Tldiy1a8JxC//P6RuVGsnT4VafxJ6r0y+ahqcdDKbHWO+V7bG7gZdgVRwzuJnhJswLK07U 41 | WdpT3T5QF0RNs2FVNc0WEDoEi2pO/TLO3m93vMHY3HBbvEjxKJr+2mcU05HUdIEWytaF1+ 42 | yKU29e5nVlFH8Q3ONMnT+3Y62ZbX19Vzb28kfxwRSzBUouBMZyxO39insoBUzMRqMoUJal 43 | YSHU4tG/qpLXDmNQAAAQEA6bX/vqvBOS17zGm1aG17RY15bmPX7YbXfex9Ynwj+fPAbXL+ 44 | HObRCSvVpJbNxE3uaYiYFoQlZzvqmSl/oNSuGTVqY1dRDwaEk6F7yIsvoSU4TPW3Iure0k 45 | kJUx/aj/Q/kVuwBSS8uCbA4UcqHm+KkreM3Amra12Dcetq+nOObamJXoIk3rwWHjDuGkrJ 46 | 1orhJIdMf58fxNVRux/f7fVXEfggMU4ocR+6IXx7OjvI6J3YXREqsSYyDf/pDLXcZrG4OP 47 | 37/GLCvrw5g7qMT6Rc967tHiUix690iddq/dAuskMth46beTroRJ8iqwIAbAd656m3r/80 48 | O9EWl3jLbkkFjwAAAAAB 49 | -----END OPENSSH PRIVATE KEY----- 50 | -------------------------------------------------------------------------------- /pkgs/tools/backup/clonezilla/default.nix: -------------------------------------------------------------------------------- 1 | { lib 2 | , fetchurl 3 | , stdenv 4 | , makeWrapper 5 | , buildFHSEnv 6 | , perl 7 | , bc 8 | , bzip2 9 | , cifs-utils 10 | , coreutils 11 | , dialog 12 | , dosfstools 13 | , ecryptfs 14 | , file 15 | , gptfdisk 16 | , gzip 17 | , lbzip2 18 | , lrzip 19 | , lvm2 20 | , lzop 21 | , ncurses 22 | , ntfs3g 23 | , partclone 24 | , parted 25 | , partimage 26 | , pbzip2 27 | , pigz 28 | , pixz 29 | , procps 30 | , screen 31 | , sshfs 32 | , xz 33 | }: 34 | 35 | let 36 | pname = "clonezilla"; 37 | version = "5.6.13"; 38 | 39 | meta = with lib; { 40 | description = "ncurses partition and disk imaging/cloning program"; 41 | homepage = "https://clonezilla.org"; 42 | license = licenses.gpl2; 43 | platforms = platforms.linux; 44 | }; 45 | 46 | clonezilla = stdenv.mkDerivation { 47 | inherit pname version; 48 | 49 | src = fetchurl { 50 | url = "http://free.nchc.org.tw/drbl-core/src/stable/${pname}-${version}.tar.xz"; 51 | sha256 = "sha256-5BDJSicJbebQQQGFIk2W1ewuas8Znt6P+TRLlNkUXmM="; 52 | }; 53 | 54 | nativeBuildInputs = [ makeWrapper ]; 55 | 56 | propagatedBuildInputs = [ perl ]; 57 | 58 | postPatch = '' 59 | sed -i 's@$(DESTDIR)/usr@$(DESTDIR)@g' Makefile 60 | sed -i 's@''${DESTDIR}/usr@''${DESTDIR}@g' Makefile 61 | ''; 62 | 63 | installFlags = [ 64 | "DESTDIR=$(out)" 65 | "SHAREDIR=share/drbl" 66 | ]; 67 | 68 | inherit meta; 69 | }; 70 | drbl = stdenv.mkDerivation rec { 71 | pname = "drbl"; 72 | version = "5.3.2"; 73 | 74 | src = fetchurl { 75 | url = "http://free.nchc.org.tw/drbl-core/src/stable/${pname}-${version}.tar.xz"; 76 | sha256 = "sha256-lEH8/qQLJOj1oSl9ox9NGRLMbKT0Fjy2TXJkKv8oUoA="; 77 | }; 78 | 79 | propagatedBuildInputs = [ perl ]; 80 | 81 | postPatch = '' 82 | sed -i 's@$(DESTDIR)/usr@$(DESTDIR)@g' Makefile 83 | sed -i 's@''${DESTDIR}/usr@''${DESTDIR}@g' Makefile 84 | cat Makefile 85 | ''; 86 | 87 | installFlags = [ 88 | "DESTDIR=$(out)" 89 | "SHAREDIR=share/drbl" 90 | ]; 91 | 92 | meta = with lib; { 93 | description = "Diskless Remote Boot in Linux: manage the deployment of the GNU/Linux operating system across many clients"; 94 | homepage = "https://drbl.org"; 95 | license = licenses.gpl2; 96 | platforms = platforms.linux; 97 | }; 98 | }; 99 | in 100 | buildFHSEnv { 101 | name = pname; 102 | targetPkgs = pkgs: [ 103 | clonezilla 104 | drbl 105 | bc 106 | bzip2 107 | cifs-utils 108 | coreutils 109 | dialog 110 | dosfstools 111 | ecryptfs 112 | file 113 | gptfdisk 114 | gzip 115 | lbzip2 116 | lrzip 117 | (lvm2.overrideAttrs (old: { 118 | # nixpkgs issue 369732 119 | # https://github.com/NixOS/nixpkgs/issues/369732 120 | configureFlags = old.configureFlags ++ [ "--with-default-profile-subdir=profile.d" ]; 121 | })) 122 | lzop 123 | ntfs3g 124 | (partclone.overrideAttrs (old: { 125 | buildInputs = old.buildInputs ++ [ ncurses ]; 126 | configureFlags = old.configureFlags ++ [ "--enable-ncursesw" ]; 127 | hardeningDisable = [ "format" ]; #FIXME: I don't know why this is necessary 128 | })) 129 | parted 130 | partimage 131 | pbzip2 132 | perl 133 | pigz 134 | pixz 135 | procps 136 | screen 137 | sshfs 138 | xz 139 | ]; 140 | inherit meta; 141 | } 142 | -------------------------------------------------------------------------------- /modules/services/networking/privoxy.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | with lib; 4 | 5 | let 6 | proxypac = pkgs.writeTextDir "wpad.dat" '' 7 | function FindProxyForURL (url, host) { 8 | return 'PROXY localhost:8118; DIRECT'; 9 | } 10 | ''; 11 | privoxyRuntimePath = "/var/run/privoxy"; 12 | privoxyActionsPath = "/var/run/privoxy/epita.actions"; 13 | privoxyCertDirPath = "/etc/privoxy"; 14 | privoxyCACertPath = "/etc/privoxy/cacert.crt"; 15 | privoxyCAKeyPath = "/etc/privoxy/cakey.key"; 16 | in 17 | { 18 | options = { 19 | cri.privoxy = { 20 | enable = mkEnableOption "Whether to enable privoxy"; 21 | actionsEndpoint = mkOption { 22 | type = types.str; 23 | default = "https://s3.cri.epita.fr/cri-fleet-manager/privoxy.actions"; 24 | description = "privoxy dynamic action config endpoint"; 25 | }; 26 | }; 27 | }; 28 | 29 | config = mkIf config.cri.privoxy.enable { 30 | system.activationScripts.privoxy-ca-gen = { 31 | deps = [ "users" "groups" "etc" ]; 32 | text = '' 33 | if [[ ! -f "${privoxyCACertPath}" ]]; then 34 | mkdir -p ${privoxyCertDirPath} 35 | 36 | ${pkgs.openssl}/bin/openssl req -new -newkey rsa:2048 -sha256 \ 37 | -days 3650 -nodes -x509 -extensions v3_ca \ 38 | -keyout ${privoxyCAKeyPath} -out ${privoxyCACertPath} \ 39 | -subj '/CN=Exam proxy CA/C=FR/ST=Val-de-Marne/L=Le Kremlin-Bicetre/O=EPITA Forge' 40 | 41 | chown -R root:privoxy ${privoxyCertDirPath} 42 | chmod 640 ${privoxyCertDirPath}/* 43 | fi 44 | 45 | 46 | # Remove symlink created by nix 47 | rm /etc/ssl/certs/ca-certificates.crt 48 | rm /etc/ssl/certs/ca-bundle.crt 49 | rm /etc/pki/tls/certs/ca-bundle.crt 50 | 51 | # Add our CA to system's CA bundle 52 | cat ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${privoxyCACertPath} > /etc/ssl/certs/ca-certificates.crt 53 | cat ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${privoxyCACertPath} > /etc/ssl/certs/ca-bundle.crt 54 | cat ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${privoxyCACertPath} > /etc/pki/tls/certs/ca-bundle.crt 55 | ''; 56 | }; 57 | 58 | services.privoxy = { 59 | enable = true; 60 | inspectHttps = true; 61 | settings = { 62 | actionsfile = [ privoxyActionsPath ]; 63 | debug = [ 1 1024 ]; # log requests 64 | enable-remote-toggle = false; 65 | enable-edit-actions = false; 66 | enable-remote-http-toggle = false; 67 | enforce-blocks = true; 68 | ca-cert-file = privoxyCACertPath; 69 | ca-key-file = privoxyCAKeyPath; 70 | }; 71 | }; 72 | 73 | systemd.tmpfiles.rules = [ "d ${privoxyRuntimePath} 0770 privoxy privoxy" ]; 74 | 75 | systemd.services.privoxy = { 76 | wants = [ "network-online.target" ]; 77 | after = [ "network-online.target" ]; 78 | preStart = '' 79 | ${pkgs.curl}/bin/curl --fail -o ${privoxyActionsPath} "${config.cri.privoxy.actionsEndpoint}" 80 | ''; 81 | serviceConfig = { 82 | Restart = "on-failure"; 83 | }; 84 | }; 85 | 86 | networking.proxy = { 87 | httpProxy = "http://127.0.0.1:8118"; 88 | httpsProxy = "http://127.0.0.1:8118"; 89 | }; 90 | 91 | networking.hosts = { 92 | "127.0.0.1" = [ "wpad" ]; 93 | }; 94 | 95 | services.lighttpd = { 96 | enable = true; 97 | document-root = proxypac; 98 | }; 99 | }; 100 | } 101 | -------------------------------------------------------------------------------- /.gitlab/ci/generate-images-pipeline.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | source "${CI_PROJECT_DIR}/.gitlab/ci/utils.sh" 6 | 7 | function getChangedImages() { 8 | echoInfo "Evaluating images..." 9 | nix_run nix-eval-jobs --check-cache-status --flake "${CI_PROJECT_DIR}#gitlabCiJobs.images.x86_64-linux" | tee "${DIFF_DIR}/images.jsonl" 1>&2 10 | jq -r '. | select(.isCached == false or .error != null) | .attr' "${DIFF_DIR}/images.jsonl" | xargs 11 | } 12 | 13 | echoInfo "Getting ready..." 14 | 15 | mkdir -p "$DIFF_DIR" 16 | 17 | print_defaults 18 | 19 | echoInfo "Starting pipeline generation..." 20 | 21 | allImages="$(nix_run list-images | xargs)" 22 | changedImages="" 23 | if [ -n "${ALL_IMAGES:-}" ]; then 24 | changedImages="$allImages" 25 | else 26 | changedImages="$(getChangedImages)" 27 | fi 28 | 29 | echoWarn "Images to be rebuilt are: ${changedImages}" 30 | 31 | echoInfo "Generating pipeline..." 32 | 33 | for image in ${changedImages}; do 34 | echoInfo "Generating jobs for image ${image}..." 35 | cat < ~/.aws/credentials 57 | - nix copy --to "s3://\${AWS_NIX_CACHE_BUCKET}?scheme=https&endpoint=\${AWS_NIX_CACHE_ENDPOINT}" "\$buildExpression" 58 | 59 | ${image}:deploy: 60 | extends: .deploy 61 | needs: 62 | - ${image}:build 63 | variables: 64 | NIXPIE_LABEL_VERSION: "$(git rev-parse --short HEAD)" 65 | script: 66 | - buildExpression=".#nixosConfigurations.${image}.config.system.build.toplevel-netboot" 67 | - nix -L build --impure "\$buildExpression" 68 | - storePath="\$(readlink -f ./result)" 69 | - cat "\${AWS_PXE_IMAGES_CREDENTIALS_FILE}" > ~/.aws/credentials 70 | - nix_run awscli s3 --endpoint-url "\${AWS_PXE_IMAGES_ENDPOINT}" cp --acl public-read --recursive "\$storePath" "s3://\${AWS_PXE_IMAGES_BUCKET}" 71 | - rm -f ./result 72 | - nix store delete --impure "\$storePath" 73 | EOF 74 | 75 | if nix_run list-docker | grep "${image}" > /dev/null; then 76 | cat < ~/.aws/credentials 105 | - nix_run awscli s3 --endpoint-url "\${AWS_PXE_IMAGES_ENDPOINT}" cp --acl public-read --recursive "\$storePath" "s3://\${AWS_PXE_IMAGES_BUCKET}" 106 | - rm -f ./result 107 | - nix store delete --impure "\$storePath" 108 | EOF 109 | fi 110 | done 111 | fi 112 | 113 | 114 | echoSuccess "All done!" 115 | -------------------------------------------------------------------------------- /pkgs/top-level/all-packages.nix: -------------------------------------------------------------------------------- 1 | /* The top-level package collection of NixPIE. 2 | * It is sorted by categories corresponding to the folder names 3 | * in the /pkgs folder. Inside the categories packages are roughly 4 | * sorted by alphabet. 5 | * Hint: ### starts category names. 6 | */ 7 | { 8 | ### NIXPIE 9 | 10 | exam-start = ../nixpie/exam-start; 11 | 12 | exec-tools = ../nixpie/exec-tools; 13 | 14 | nixpie-utils = ../nixpie/nixpie-utils; 15 | 16 | ipxe-forge = ../tools/ipxe-forge; 17 | 18 | ### TOOLS 19 | 20 | clonezilla = ../tools/backup/clonezilla; 21 | 22 | dumptorrent = { 23 | path = ../by-name/du/dumptorrent/package.nix; 24 | args = final: prev: { inherit (prev) dumptorrent; }; 25 | }; 26 | 27 | salt = { 28 | path = ../by-name/sa/salt/package.nix; 29 | args = final: prev: { inherit (prev) salt; }; 30 | }; 31 | 32 | ### DEVELOPMENT / COMPILERS 33 | 34 | clang32-alias = ../development/compilers/clang32-alias; 35 | 36 | reflex = ../development/compilers/reflex; 37 | 38 | havm = ../development/compilers/havm; 39 | 40 | m68k = { 41 | path = ../development/compilers/m68k; 42 | callPackage = final: prev: final.qt5.callPackage; 43 | }; 44 | 45 | nolimips = ../development/compilers/nolimips; 46 | 47 | ocaml = { 48 | path = ../development/compilers/ocaml; 49 | args = final: prev: { inherit (prev) ocaml; }; 50 | }; 51 | 52 | ovm = ../development/compilers/ovm; 53 | 54 | ### DEVELOPMENT / TOOLS 55 | 56 | clang-format-epita = ../development/tools/clang-format-epita; 57 | 58 | dirbuster = ../development/tools/dirbuster; 59 | 60 | ### DEVELOPMENT / PYTHON MODULES 61 | 62 | missingno = { 63 | path = ../development/python-modules/missingno; 64 | callPackage = final: prev: final.python3Packages.callPackage; 65 | }; 66 | 67 | dash-daq = { 68 | path = ../development/python-modules/dash-daq; 69 | callPackage = final: prev: final.python3Packages.callPackage; 70 | }; 71 | 72 | dash-colorscales = { 73 | path = ../development/python-modules/dash-colorscales; 74 | callPackage = final: prev: final.python3Packages.callPackage; 75 | }; 76 | 77 | strsimpy = { 78 | path = ../development/python-modules/strsimpy; 79 | callPackage = final: prev: final.python3Packages.callPackage; 80 | }; 81 | 82 | dtale = { 83 | path = ../development/python-modules/dtale; 84 | callPackage = final: prev: final.python3Packages.callPackage; 85 | }; 86 | 87 | jupyter-dash = { 88 | path = ../development/python-modules/jupyter-dash; 89 | callPackage = final: prev: final.python3Packages.callPackage; 90 | }; 91 | 92 | jupyter_latex_envs = { 93 | path = ../development/python-modules/jupyter_latex_envs; 94 | callPackage = final: prev: final.python3Packages.callPackage; 95 | }; 96 | 97 | nbtranslate = { 98 | path = ../development/python-modules/nbtranslate; 99 | callPackage = final: prev: final.python3Packages.callPackage; 100 | }; 101 | 102 | ### DEVELOPMENT / LIBRARIES 103 | 104 | libfff = ../development/libraries/libfff; 105 | 106 | spot-lrde = ../development/libraries/spot-lrde; 107 | 108 | ### OS-SPECIFIC 109 | 110 | pam_afs_session = ../os-specific/linux/pam_afs_session; 111 | 112 | pam_subuid = ../os-specific/linux/pam_subuid; 113 | 114 | ### APPLICATIONS 115 | 116 | geany = { 117 | path = ../applications/editors/geany; 118 | args = final: prev: { inherit (prev) geany; }; 119 | }; 120 | 121 | i3lock = { 122 | path = ../applications/window-managers/i3/lock.nix; 123 | args = final: prev: { inherit (prev) i3lock; }; 124 | }; 125 | 126 | ciscoPacketTracer8 = { 127 | path = ../applications/networking/cisco-packet-tracer; 128 | args = final: prev: { inherit (prev) ciscoPacketTracer8; }; 129 | }; 130 | 131 | tina = ../applications/editors/tina; 132 | 133 | sddm-epita-themes = ../applications/display-managers/sddm/sddm-epita-themes.nix; 134 | 135 | ### NSWRAPPERS 136 | 137 | nswrappers = ../nswrappers; 138 | 139 | ### DATA / DOCUMENTATION 140 | 141 | numpy-doc = ../data/documentation/numpy; 142 | } 143 | -------------------------------------------------------------------------------- /images/nixos-cnix-tty.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | let 4 | imageName = "tty-env"; 5 | imageFilename = "${imageName}.tar.gz"; 6 | torrentFilename = "${imageFilename}.torrent"; 7 | s3Bucket = "https://s3.cri.epita.fr/acu-cnix-tty-activity"; 8 | torrentDir = config.netboot.torrent.mountPoint; 9 | 10 | downloadTtyImage = pkgs.writeShellScript "download_tty_image.sh" '' 11 | set -eu 12 | 13 | echo "Fetching torrent file" 14 | ${pkgs.curl}/bin/curl --fail --remove-on-error --connect-timeout 60 "${s3Bucket}/${torrentFilename}" --output "${torrentDir}/${torrentFilename}" 15 | 16 | echo "Fetching image using torrent" 17 | 18 | aria2_base="-V --file-allocation=prealloc --enable-mmap=true --allow-overwrite=true --bt-enable-lpd=true" 19 | aria2_tracker="--bt-tracker-connect-timeout=20 --bt-tracker-timeout=20" 20 | aria2_summary="--summary-interval=60" 21 | aria2_nodht="--enable-dht=false --enable-dht6=false" 22 | aria2_noseed="--seed-time=0 --seed-ratio=0" 23 | aria2_opts="$aria2_base $aria2_tracker $aria2_summary $aria2_nodht $aria2_noseed" 24 | 25 | ${pkgs.aria2}/bin/aria2c $aria2_opts \ 26 | --dir="${torrentDir}" --index-out=1="${imageFilename}" \ 27 | "${torrentDir}/${torrentFilename}" 28 | 29 | echo "Restarting aria2 for seeding" 30 | ${pkgs.systemd}/bin/systemctl restart aria2 31 | ''; 32 | 33 | setuidDownloadWrapperSrc = pkgs.writeText "cnixtty-downloader-wrapper.c" '' 34 | #include 35 | #include 36 | #include 37 | #include 38 | 39 | int main() 40 | { 41 | setuid(0); 42 | return system("${downloadTtyImage}"); 43 | } 44 | ''; 45 | 46 | setuidDownloadWrapper = pkgs.runCommandCC "download_tty_image" { } '' 47 | gcc -o "$out" "${setuidDownloadWrapperSrc}" 48 | ''; 49 | 50 | tty_launch = pkgs.writeShellScriptBin "tty_launch" '' 51 | set -eu 52 | 53 | echo "Fetching latest image tag" 54 | LATEST_TAG=$(${pkgs.curl}/bin/curl --fail "${s3Bucket}/latest_tag") 55 | echo "Latest tag is $LATEST_TAG" 56 | 57 | # If the image with the fetched tag is absent, download the torrent file 58 | if ! podman image exists "${imageName}:$LATEST_TAG" > /dev/null 2>&1; then 59 | echo "Image is missing from disk, downloading." 60 | /run/wrappers/bin/download_tty_image 61 | 62 | echo "Image finished downloading, loading in podman" 63 | podman load -i "${torrentDir}/${imageFilename}" 64 | fi 65 | 66 | # Hack to be able to chown those files in the container 67 | cat $HOME/afs/.confs/gitconfig > $HOME/tty_gitconfig 68 | [ -d $HOME/tty_sh ] || mkdir $HOME/tty_ssh 69 | for f in $HOME/afs/.confs/ssh/*; do 70 | name=$(basename "$f") 71 | cat $f > $HOME/tty_ssh/$name 72 | done 73 | 74 | # Run the container 75 | KRB5CCACHE=$(klist | head -1 | cut -d : -f 3) 76 | podman run -it -v $KRB5CCACHE:/tmp/krb5cc_1000 \ 77 | -v $HOME/tty_gitconfig:/home/student/.gitconfig:copy,U \ 78 | -v $HOME/tty_ssh:/home/student/.ssh/:copy,U \ 79 | localhost/tty_${imageName}:$LATEST_TAG 80 | ''; 81 | in 82 | { 83 | # Define the shell script to generate the static /etc/issue file 84 | environment.etc."issue".text = lib.strings.concatStrings [ 85 | (builtins.readFile (pkgs.runCommand "cnix-tty-issue" { buildInputs = with pkgs; [ ncurses ]; } (builtins.readFile ./tty-issue.sh))) 86 | "\n${config.system.nixos.distroName} ${config.system.nixos.label} (\\m) - \\l\n\n" 87 | ]; 88 | 89 | security.wrappers = { 90 | download_tty_image = { 91 | setuid = true; 92 | owner = "root"; 93 | group = "root"; 94 | source = setuidDownloadWrapper; 95 | }; 96 | }; 97 | 98 | cri = { 99 | packages.pkgs = { 100 | podman.enable = true; 101 | }; 102 | 103 | aria2.enable = true; 104 | }; 105 | 106 | netboot.enable = true; 107 | 108 | environment.systemPackages = [ 109 | tty_launch 110 | ]; 111 | } 112 | 113 | 114 | -------------------------------------------------------------------------------- /modules/packages/pkgs/libvirt.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | let 4 | # The following wrappers override the XDG_CONFIG_HOME environment variable to 5 | # prevent libvirt from using ~/.config for anything. The reason behind this 6 | # is that ~/.config is a symlink to student's AFS volumes. We don't want to 7 | # persist this config and it simply does not work because QEMU cannot create 8 | # Unix sockets in AFS. 9 | wrappedVirtManager = pkgs.symlinkJoin { 10 | name = "virt-manager"; 11 | paths = [ pkgs.virt-manager ]; 12 | postBuild = '' 13 | prog=$out/bin/virt-manager 14 | 15 | hidden="$(dirname "$prog")/.$(basename "$prog")"-wrapped 16 | while [ -e "$hidden" ]; do 17 | hidden="''${hidden}_" 18 | done 19 | 20 | mv "$prog" "$hidden" 21 | 22 | echo 'export XDG_CONFIG_HOME="$HOME/.tmpconfig"' >> "$prog" 23 | echo "exec -a virt-manager $hidden" >> "$prog" 24 | 25 | chmod +x $prog 26 | ''; 27 | }; 28 | wrappedLibvirt = pkgs.symlinkJoin { 29 | name = "libvirt"; 30 | paths = [ pkgs.libvirt ]; 31 | postBuild = '' 32 | prog=$out/bin/virsh 33 | 34 | hidden="$(dirname "$prog")/.$(basename "$prog")"-wrapped 35 | while [ -e "$hidden" ]; do 36 | hidden="''${hidden}_" 37 | done 38 | 39 | mv "$prog" "$hidden" 40 | 41 | echo 'export XDG_CONFIG_HOME="$HOME/.tmpconfig"' >> "$prog" 42 | echo "exec -a virsh $hidden" >> "$prog" 43 | 44 | chmod +x $prog 45 | ''; 46 | }; 47 | in 48 | 49 | { 50 | options = { 51 | cri.packages.pkgs.libvirt = { 52 | enable = lib.options.mkEnableOption "libvirt Forge package bundle"; 53 | enableDiskPartition = lib.options.mkEnableOption "work partition for libvirt"; 54 | }; 55 | }; 56 | 57 | config = lib.mkIf config.cri.packages.pkgs.libvirt.enable (lib.mkMerge [ 58 | { 59 | virtualisation.libvirtd = { 60 | enable = true; 61 | package = wrappedLibvirt; 62 | }; 63 | 64 | environment.systemPackages = with pkgs; [ 65 | wrappedVirtManager 66 | aria # for iso download 67 | ]; 68 | 69 | systemd.services.libvirtd-config.script = lib.mkAfter '' 70 | mkdir -p /var/lib/libvirt/qemu/networks/autostart 71 | ln -sf /var/lib/libvirt/qemu/networks/default.xml /var/lib/libvirt/qemu/networks/autostart/ 72 | ''; 73 | } 74 | (lib.mkIf config.cri.packages.pkgs.libvirt.enableDiskPartition { 75 | systemd.services.forge-libvirt-disk-setup = { 76 | description = "Forge libvirt work partition setup"; 77 | wantedBy = [ "multi-user.target" ]; 78 | path = with pkgs; [ gptfdisk e2fsprogs util-linux coreutils-full ]; 79 | script = '' 80 | set -euo pipefail 81 | 82 | if [ -e /run/forge-libvirt-disk-setup.done ]; then 83 | exit 84 | fi 85 | 86 | if [ ! -e /dev/disk/by-partlabel/libvirt-workdir ]; then 87 | 88 | echo "Scanning disks on the system:" 89 | disks="$(lsblk --list --noheadings --paths --output NAME,SIZE,TYPE | grep ' disk')" 90 | 91 | if [ -z "$disks" ]; then 92 | echo "Error: no disk found!" 93 | exit 1 94 | fi 95 | 96 | DISK_NAME="/dev/invalid" 97 | if [ "$(echo "$disks" | wc -l)" -ne 1 ]; then 98 | echo "Multiple disks found. Exiting" 99 | exit 1 100 | else 101 | DISK_NAME="$(echo "$disks" | cut -d" " -f1)" 102 | fi 103 | 104 | sgdisk --new 3:0:+32G "$DISK_NAME" 105 | sgdisk --change-name 3:libvirt-workdir "$DISK_NAME" 106 | 107 | partx --update "$DISK_NAME" 108 | 109 | sleep 5 110 | fi 111 | 112 | mkfs.ext4 -F -L libvirt-workdir /dev/disk/by-partlabel/libvirt-workdir 113 | 114 | mkdir -p /srv/libvirt-workdir 115 | mount /dev/disk/by-partlabel/libvirt-workdir /srv/libvirt-workdir 116 | chmod -R 777 /srv/libvirt-workdir 117 | 118 | touch /run/forge-libvirt-disk-setup.done 119 | ''; 120 | 121 | serviceConfig = { 122 | Type = "oneshot"; 123 | }; 124 | }; 125 | }) 126 | ]); 127 | } 128 | -------------------------------------------------------------------------------- /pkgs/applications/editors/tina/default.nix: -------------------------------------------------------------------------------- 1 | { stdenv 2 | , lib 3 | , fetchurl 4 | , makeWrapper 5 | , autoPatchelfHook 6 | , makeDesktopItem 7 | , copyDesktopItems 8 | , lndir 9 | , buildFHSEnv 10 | , alsa-lib 11 | , dbus 12 | , dpkg 13 | , expat 14 | , fontconfig 15 | , glib 16 | , libdrm 17 | , libglvnd 18 | , libpulseaudio 19 | , libudev0-shim 20 | , libxkbcommon 21 | , libxml2 22 | , libxslt 23 | , nspr 24 | , nss 25 | , tcl-8_5 26 | , tk-8_5 27 | , xorg 28 | }: 29 | let 30 | version = "3.8.5"; 31 | 32 | src = fetchurl { 33 | url = "https://projects.laas.fr/tina/binaries/tina-${version}-amd64-linux.tgz"; 34 | sha256 = "sha256-PsGqutHACpwG3HqVKXWZEWRdvjfbF3zIFqtgD1j+zKA="; 35 | }; 36 | 37 | # Tina files with patch elf 38 | tinaPatched = stdenv.mkDerivation { 39 | pname = "tina-patched"; 40 | inherit version src; 41 | 42 | nativeBuildInputs = [ 43 | autoPatchelfHook 44 | makeWrapper 45 | ]; 46 | 47 | unpackPhase = '' 48 | tar -xvf $src --strip-components=1 49 | ''; 50 | installPhase = '' 51 | mkdir -p $out 52 | cp -r bin lib $out 53 | 54 | for bin in $out/bin/*; do 55 | bname=$(basename "$bin") 56 | if [ -f "$bin" ] && [ -x "$bin" ] && [ "$bname" != "nd" ]; then 57 | wrapProgram "$bin" \ 58 | --prefix LD_LIBRARY_PATH : "$out/lib" 59 | fi 60 | done 61 | 62 | mkdir $out/share 63 | cp -r doc $out/share 64 | cp -r nets $out/share 65 | ''; 66 | }; 67 | 68 | # Unpack Tina nd binary without patch elf 69 | tinaUnpatched = stdenv.mkDerivation { 70 | pname = "tina-unpatched"; 71 | inherit version src; 72 | 73 | dontFixup = true; 74 | 75 | unpackPhase = '' 76 | tar -xvf $src --strip-components=1 77 | ''; 78 | 79 | installPhase = '' 80 | mkdir -p $out 81 | cp -r bin lib $out 82 | mkdir $out/share 83 | cp -r doc nets $out/share 84 | ''; 85 | }; 86 | 87 | # ND FHS environment 88 | ndFhs = buildFHSEnv { 89 | name = "nd"; 90 | targetPkgs = pkgs: with pkgs; [ 91 | tinaUnpatched 92 | alsa-lib 93 | dbus 94 | expat 95 | fontconfig 96 | glib 97 | libdrm 98 | libglvnd 99 | libpulseaudio 100 | libudev0-shim 101 | libxkbcommon 102 | libxml2 103 | libxslt 104 | nspr 105 | nss 106 | tcl-8_5 107 | tk-8_5 108 | xorg.libICE 109 | xorg.libSM 110 | xorg.libX11 111 | xorg.libxcb 112 | xorg.libXcomposite 113 | xorg.libXcursor 114 | xorg.libXdamage 115 | xorg.libXext 116 | xorg.libXfixes 117 | xorg.libXi 118 | xorg.libXrandr 119 | xorg.libXrender 120 | xorg.libXScrnSaver 121 | xorg.libXtst 122 | xorg.xcbutilimage 123 | xorg.xcbutilkeysyms 124 | xorg.xcbutilrenderutil 125 | xorg.xcbutilwm 126 | ]; 127 | 128 | runScript = lib.escapeShellArgs [ "/usr/bin/nd" ]; 129 | }; 130 | in 131 | stdenv.mkDerivation { 132 | pname = "tina"; 133 | inherit version; 134 | dontUnpack = true; 135 | 136 | nativeBuildInputs = [ 137 | copyDesktopItems 138 | ]; 139 | 140 | installPhase = '' 141 | mkdir -p $out/bin 142 | for bin in ${tinaPatched}/bin/*; do 143 | bname=$(basename "$bin") 144 | if [ -f "$bin" ] && [ -x "$bin" ] && [ "$bname" != "nd" ]; then 145 | ln -s "${tinaPatched}/bin/$bname" "$out/bin/$bname" 146 | fi 147 | done 148 | ln -s ${ndFhs}/bin/nd $out/bin/nd 149 | ln -s ${tinaPatched}/share $out/share 150 | ''; 151 | 152 | desktopItems = [ 153 | (makeDesktopItem { 154 | name = "nd"; 155 | desktopName = "Tina NetDraw"; 156 | comment = "Toolbox for the editing and analysis of Petri Nets"; 157 | exec = "nd %f"; 158 | icon = "tina"; 159 | categories = [ "Science" "Education" "Development" ]; 160 | mimeTypes = [ "application/x-net" "application/x-ndr" ]; 161 | }) 162 | ]; 163 | 164 | meta = with lib; { 165 | description = "Tina toolbox for the editing and analysis of Petri Nets"; 166 | homepage = "https://projects.laas.fr/tina/"; 167 | license = licenses.unfree; 168 | platforms = [ "x86_64-linux" ]; 169 | maintainers = with maintainers; [ ]; 170 | }; 171 | } 172 | -------------------------------------------------------------------------------- /profiles/exam/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | 3 | let 4 | submission = pkgs.writeShellScriptBin "submission" '' 5 | #!/bin/sh 6 | 7 | echo "* Trying to submit" 8 | 9 | git checkout master 10 | git add --all 11 | git commit -m "Submission" --allow-empty 12 | git tag -a "submission-$(git rev-parse --short HEAD)" -m "Submission" 13 | git push origin master --follow-tags 14 | ''; 15 | in 16 | { 17 | cri.afs.enable = false; 18 | cri.packages.pkgs.desktop.firefox = { 19 | extraPolicies = { 20 | Proxy = { 21 | Mode = "manual"; 22 | Locked = true; 23 | HTTPProxy = "127.0.0.1:8118"; 24 | SSLProxy = "127.0.0.1:8118"; 25 | SOCKSProxy = ""; # see https://bugzilla.mozilla.org/show_bug.cgi?id=1823693 26 | UseHTTPProxyForAllProtocols = true; 27 | }; 28 | }; 29 | toolbarBookmarks = [ 30 | { 31 | Title = "Moodle Exam"; 32 | URL = "https://moodle-exam.epita.fr"; 33 | } 34 | { 35 | Title = "Intranet Exam"; 36 | URL = "https://exam.forge.epita.fr"; 37 | } 38 | { 39 | Title = "Intranet Exam - Remaining time"; 40 | URL = "https://exam.forge.epita.fr/_exam/session"; 41 | } 42 | ]; 43 | }; 44 | 45 | netboot = { 46 | nix-store-rw.enable = false; 47 | }; 48 | 49 | networking.firewall.enable = false; 50 | 51 | services.xserver.windowManager.i3 = { 52 | extraSessionCommands = lib.mkAfter '' 53 | ${pkgs.exam-start}/bin/exam-start & 54 | ''; 55 | }; 56 | 57 | environment.systemPackages = with pkgs; [ 58 | exam-start 59 | submission 60 | ]; 61 | 62 | # Warning: do not use domain names in these rules, at the risk of the 63 | # firewall starting before a nameserver could be fetched from the DHCP 64 | # server, in which case you might not have a firewall at all. 65 | networking.nftables = { 66 | enable = true; 67 | preCheckRuleset = '' 68 | sed 's/skuid privoxy/skuid nobody/g' -i ruleset.conf 69 | ''; 70 | ruleset = '' 71 | table inet filter { 72 | # Block all incomming connections traffic except SSH and "ping". 73 | chain input { 74 | type filter hook input priority 0; 75 | 76 | # accept any localhost traffic 77 | iifname lo accept 78 | 79 | # accept traffic originated from us 80 | ct state {established, related} accept 81 | 82 | # accept SSH connections (required for a server) 83 | tcp dport 22 accept 84 | 85 | # accept node-exporter 86 | tcp dport 9100 accept 87 | 88 | # Allow ICMP 89 | ip protocol icmp accept 90 | 91 | drop 92 | } 93 | 94 | # Allow all outgoing connections. 95 | chain output { 96 | type filter hook output priority 0; 97 | 98 | # accept any localhost traffic 99 | iifname lo accept 100 | ip daddr 127.0.0.0/8 accept 101 | 102 | # accept traffic originated from us 103 | ct state {established, related} accept 104 | 105 | # Allow DNS (kresd) 106 | ip daddr 10.201.5.53 udp dport domain accept 107 | 108 | # kerberos.pie.cri.epita.fr 109 | ip daddr 91.243.117.186 tcp dport {kerberos,kerberos-adm} accept 110 | # ldap.pie.cri.epita.fr 111 | ip daddr 91.243.117.185 tcp dport {ldap,ldaps} accept 112 | # internal IP address for LDAP and Kerberos 113 | ip daddr 10.201.5.54 tcp dport {ldap,ldaps,kerberos,kerberos-adm} accept 114 | 115 | # Git Exam CRI 116 | ip daddr 10.201.5.122 tcp dport ssh accept 117 | 118 | # Git Exam Forge 119 | ip daddr 10.201.5.123 tcp dport ssh accept 120 | 121 | # NTP 122 | ip daddr 10.201.5.2 udp dport ntp accept 123 | 124 | # Salt 125 | ip daddr 10.201.5.0/24 tcp dport {4505,4506} accept 126 | 127 | meta skuid root accept 128 | tcp dport {http, https} meta skuid privoxy accept 129 | 130 | drop 131 | } 132 | 133 | chain forward { 134 | type filter hook forward priority 0; 135 | drop 136 | } 137 | } 138 | ''; 139 | }; 140 | 141 | systemd.services.nftables = { 142 | serviceConfig = { 143 | Restart = "on-failure"; 144 | }; 145 | }; 146 | 147 | cri.privoxy.enable = true; 148 | 149 | systemd.services.dns-online = { 150 | description = "wait for DNS to be online"; 151 | after = [ "nss-lookup.target" ]; 152 | before = [ "network-online.target" ]; 153 | wantedBy = [ "network-online.target" ]; 154 | 155 | serviceConfig = { 156 | Type = "oneshot"; 157 | TimeoutSec = 60; 158 | }; 159 | 160 | script = '' 161 | while ! ${pkgs.host}/bin/host -t A cri.epita.fr; do 162 | sleep 1; 163 | done 164 | ''; 165 | }; 166 | } 167 | -------------------------------------------------------------------------------- /profiles/core/default.nix: -------------------------------------------------------------------------------- 1 | { pkgs, config, lib, ... }: 2 | 3 | with lib; 4 | { 5 | i18n.defaultLocale = "en_US.UTF-8"; 6 | time.timeZone = "Europe/Paris"; 7 | 8 | console = { 9 | earlySetup = true; 10 | keyMap = "us"; 11 | }; 12 | 13 | nix = { 14 | package = pkgs.nixVersions.stable; 15 | 16 | settings = { 17 | sandbox = true; 18 | trusted-users = [ "root" "@wheel" ]; 19 | system-features = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; 20 | substituters = [ "https://s3.cri.epita.fr/cri-nix-cache.s3.cri.epita.fr" ]; 21 | trusted-public-keys = [ "cache.nix.cri.epita.fr:qDIfJpZWGBWaGXKO3wZL1zmC+DikhMwFRO4RVE6VVeo=" ]; 22 | auto-optimise-store = false; 23 | auto-allocate-uids = true; 24 | }; 25 | 26 | gc.automatic = false; 27 | optimise.automatic = false; 28 | 29 | extraOptions = '' 30 | experimental-features = nix-command flakes auto-allocate-uids 31 | ''; 32 | }; 33 | 34 | networking = { 35 | useDHCP = true; 36 | dhcpcd = { 37 | wait = "any"; # make sure we get an IP before marking the service as up 38 | 39 | # force_hostname is required because nixpkgs#359571 changed the default 40 | # hostname from localhost to nixos and dhcpcd only changes the hostname if 41 | # it is localhost. 42 | extraConfig = '' 43 | noipv4ll 44 | env force_hostname=YES 45 | ''; 46 | }; 47 | timeServers = [ 48 | "ntp.pie.cri.epita.fr" 49 | "0.nixos.pool.ntp.org" 50 | "1.nixos.pool.ntp.org" 51 | "2.nixos.pool.ntp.org" 52 | "3.nixos.pool.ntp.org" 53 | ]; 54 | firewall = { 55 | allowedTCPPortRanges = [ 56 | { 57 | from = 42000; 58 | to = 42999; 59 | } 60 | ]; 61 | allowedUDPPortRanges = [ 62 | { 63 | from = 42000; 64 | to = 42999; 65 | } 66 | ]; 67 | }; 68 | }; 69 | 70 | # TODO: remove me when fixed upstream, sigh. 71 | systemd.services.dhcpcd = { 72 | serviceConfig = { 73 | ProtectHostname = lib.mkForce false; 74 | SystemCallFilter = lib.mkBefore [ "sethostname" ]; 75 | AmbientCapabilities = [ "CAP_SYS_ADMIN" ]; 76 | }; 77 | }; 78 | 79 | security = { 80 | protectKernelImage = true; 81 | }; 82 | security.polkit.enable = true; 83 | 84 | hardware.enableRedistributableFirmware = true; 85 | 86 | cri = { 87 | aria2.enable = true; 88 | machine-state.enable = true; 89 | node-exporter.enable = true; 90 | salt.enable = true; 91 | sshd.enable = true; 92 | users.enable = true; 93 | yubikey.enable = true; 94 | }; 95 | programs.vim = { 96 | enable = true; 97 | defaultEditor = true; 98 | package = pkgs.vim_configurable; 99 | }; 100 | 101 | cri.packages = { 102 | pkgs = { 103 | core.enable = true; 104 | fuse.enable = true; 105 | }; 106 | 107 | python = { 108 | core.enable = true; 109 | }; 110 | }; 111 | 112 | documentation = { 113 | enable = true; 114 | dev.enable = true; 115 | doc.enable = true; 116 | info.enable = true; 117 | man = { 118 | enable = true; 119 | generateCaches = true; 120 | }; 121 | nixos.enable = true; 122 | }; 123 | 124 | # HACK: this is needed to be able to compile with external libs such as 125 | # criterion 126 | environment.pathsToLink = [ "/include" "/lib" ]; 127 | environment.extraOutputsToInstall = [ "out" "lib" "bin" "dev" ]; 128 | environment.variables = { 129 | NIXPKGS_ALLOW_UNFREE = "1"; 130 | 131 | NIX_CFLAGS_COMPILE_x86_64_unknown_linux_gnu = "-isystem /run/current-system/sw/include"; 132 | NIX_CFLAGS_LINK_x86_64_unknown_linux_gnu = "-L/run/current-system/sw/lib"; 133 | 134 | CMAKE_INCLUDE_PATH = "/run/current-system/sw/include"; 135 | CMAKE_LIBRARY_PATH = "/run/current-system/sw/lib"; 136 | 137 | IDEA_JDK = "/run/current-system/sw/lib/openjdk/"; 138 | PKG_CONFIG_PATH = "/run/current-system/sw/lib/pkgconfig"; 139 | }; 140 | 141 | programs.ssh = { 142 | package = pkgs.openssh_gssapi; 143 | startAgent = true; 144 | extraConfig = '' 145 | AddKeysToAgent yes 146 | 147 | Host git.forge.epita.fr 148 | GSSAPIAuthentication yes 149 | Host git.exam.forge.epita.fr 150 | GSSAPIAuthentication yes 151 | Host gitlab.cri.epita.fr 152 | GSSAPIAuthentication yes 153 | Host ssh.cri.epita.fr 154 | GSSAPIAuthentication yes 155 | GSSAPIDelegateCredentials yes 156 | ''; 157 | }; 158 | 159 | programs.gnupg = { 160 | dirmngr.enable = true; 161 | agent = { 162 | enable = true; 163 | pinentryPackage = pkgs.pinentry-gtk2; 164 | enableBrowserSocket = true; 165 | enableExtraSocket = true; 166 | enableSSHSupport = false; 167 | }; 168 | }; 169 | 170 | programs.udevil.enable = true; 171 | 172 | services.lldpd.enable = true; 173 | 174 | system.stateVersion = "22.05"; 175 | } 176 | -------------------------------------------------------------------------------- /flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | description = '' 3 | collection of Nix packages, NixOS modules and configurations used on 4 | EPITA's PIE 5 | ''; 6 | 7 | inputs = { 8 | nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; 9 | nixpkgsUnstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; 10 | nixpkgsMaster.url = "github:NixOS/nixpkgs/master"; 11 | 12 | machine-state.url = "git+https://gitlab.cri.epita.fr/forge/packages/machine-state.git"; 13 | 14 | docker-nixpkgs = { 15 | url = "github:nix-community/docker-nixpkgs"; 16 | flake = false; 17 | }; 18 | 19 | futils.url = "github:numtide/flake-utils"; 20 | flake-compat = { 21 | url = "github:edolstra/flake-compat"; 22 | flake = false; 23 | }; 24 | 25 | nixpkgs-esp-dev = { 26 | url = "github:mirrexagon/nixpkgs-esp-dev"; 27 | inputs.nixpkgs.follows = "nixpkgs"; 28 | inputs.flake-utils.follows = "futils"; 29 | }; 30 | }; 31 | 32 | outputs = 33 | { self 34 | 35 | , nixpkgs 36 | , nixpkgsUnstable 37 | , nixpkgsMaster 38 | 39 | , machine-state 40 | 41 | , docker-nixpkgs 42 | 43 | , futils 44 | , flake-compat 45 | , nixpkgs-esp-dev 46 | } @ inputs: 47 | let 48 | inherit (nixpkgs) lib; 49 | inherit (lib) attrValues optional recursiveUpdate; 50 | inherit (futils.lib) eachDefaultSystem; 51 | 52 | pkgImport = pkgs: system: withOverrides: 53 | import pkgs { 54 | inherit system; 55 | config = { 56 | allowUnfree = true; 57 | permittedInsecurePackages = [ 58 | "freeimage-unstable-2021-11-01" 59 | "dotnet-sdk-7.0.410" 60 | ]; 61 | }; 62 | overlays = 63 | (attrValues self.overlays) ++ 64 | (optional withOverrides self.overrides.${system}) ++ [ 65 | (import "${docker-nixpkgs}/overlay.nix") 66 | 67 | (final: prev: { 68 | machine-state = machine-state.packages.${system}.machine-state; 69 | }) 70 | 71 | nixpkgs-esp-dev.overlays.default 72 | ]; 73 | }; 74 | 75 | pkgset = system: { 76 | pkgs = pkgImport nixpkgs system true; 77 | pkgsUnstable = pkgImport nixpkgsUnstable system false; 78 | pkgsMaster = pkgImport nixpkgsMaster system false; 79 | }; 80 | 81 | anySystemOutputs = { 82 | lib = import ./lib { inherit lib; }; 83 | 84 | overlays = import ./pkgs/overlays.nix { inherit lib; }; 85 | 86 | nixosModules = (import ./modules) // { 87 | profiles = import ./profiles; 88 | nixpie = import ./modules/nixpie.nix; 89 | }; 90 | 91 | nixosConfigurations = 92 | let 93 | system = "x86_64-linux"; 94 | in 95 | import ./images ( 96 | recursiveUpdate inputs { 97 | inherit lib system; 98 | pkgset = pkgset system; 99 | } 100 | ); 101 | 102 | # works like hydraJobs 103 | gitlabCiJobs = { 104 | images.x86_64-linux = lib.filterAttrs (name: _: !lib.hasSuffix "-local" name) (lib.mapAttrs (_: nixosConfig: nixosConfig.config.system.build.toplevel) self.nixosConfigurations); 105 | packages.x86_64-linux = lib.filterAttrs (name: _: !lib.hasSuffix "-docker" name) self.packages.x86_64-linux; 106 | checks.x86_64-linux = self.checks.x86_64-linux; 107 | }; 108 | }; 109 | 110 | multiSystemOutputs = eachDefaultSystem (system: 111 | let 112 | inherit (pkgset system) pkgs pkgsUnstable pkgsMaster; 113 | in 114 | { 115 | checks = (import ./tests (recursiveUpdate inputs { inherit lib system; pkgset = pkgset system; })); 116 | 117 | devShells.default = pkgs.mkShell { 118 | name = "nixpie"; 119 | buildInputs = with pkgs; [ 120 | awscli 121 | git 122 | pkgsMaster.nix-diff 123 | nixpkgs-fmt 124 | nix-eval-jobs 125 | pre-commit 126 | shellcheck 127 | ]; 128 | }; 129 | 130 | apps = 131 | let 132 | checkList = builtins.attrNames self.checks.${system}; 133 | imageList = builtins.attrNames self.nixosConfigurations; 134 | pkgsList = builtins.attrNames (lib.filterAttrs (name: _: !lib.hasSuffix "-docker" name) self.packages.${system}); 135 | dockerList = builtins.attrNames (lib.filterAttrs (name: _: lib.hasSuffix "-docker" name) self.packages.${system}); 136 | mkListApp = list: { 137 | type = "app"; 138 | program = toString (pkgs.writeShellScript "list.sh" (lib.concatMapStringsSep "\n" (el: "echo '${el}'") list)); 139 | }; 140 | in 141 | { 142 | list-checks = mkListApp checkList; 143 | list-docker = mkListApp dockerList; 144 | list-images = mkListApp imageList; 145 | list-pkgs = mkListApp pkgsList; 146 | 147 | awscli = { 148 | type = "app"; 149 | program = "${pkgs.awscli}/bin/aws"; 150 | }; 151 | nix-diff = { 152 | type = "app"; 153 | program = "${pkgsMaster.nix-diff}/bin/nix-diff"; 154 | }; 155 | nix-eval-jobs = { 156 | type = "app"; 157 | program = "${pkgs.nix-eval-jobs}/bin/nix-eval-jobs"; 158 | }; 159 | nixpkgs-fmt = { 160 | type = "app"; 161 | program = "${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt"; 162 | }; 163 | skopeo = { 164 | type = "app"; 165 | program = "${pkgs.skopeo}/bin/skopeo"; 166 | }; 167 | }; 168 | 169 | overrides = import ./pkgs/overrides.nix { inherit pkgsUnstable pkgsMaster; }; 170 | 171 | packages = (import ./pkgs { inherit lib pkgs; }) // (import ./images/docker.nix (recursiveUpdate inputs { inherit lib system; pkgset = pkgset system; })); 172 | }); 173 | in 174 | recursiveUpdate multiSystemOutputs anySystemOutputs; 175 | } 176 | --------------------------------------------------------------------------------